A recent study by Sonatype, a software supply chain management platform, has reported a huge increase in supply chain attacks as part of their eighth annual State of the Software Supply Chain report.

The report also uncovered 88,000 potentially malicious files available to organisations.

Free and/or open-source software downloads have shown a huge increase as organisations and software developers alike look to reduce the time between new software being created and becoming usable.

The firm stated that they expect the number of requests for open-source software to exceed three trillion before the end of 2022.

The significant increase in the use of open-source software means the number of threats and vulnerabilities amongst the safe sources can be missed by developers, according to Sonatype.

As an example, the report explained that Java applications often carry up to 10 updates per year and on average contain 148 dependencies (an increase of 20 in 2021), this means that developers must track nearly 1500 changes each year.

The report also highlighted the issue that 96% of java open-source downloads that contained a known vulnerability could have been avoided by way of an alternative download. These alternative options were equally available, but for unknown reasons were overlooked in favour of those containing vulnerabilities.

The report shows researchers have uncovered 88,000 malicious open-source packages already in 2022 and this equates to the staggering 742% increase over the number recorded for 2019.

In terms of organisations carrying out due diligence regarding the downloading of open-source software packages onto their IT estates, the report also found that whilst 68% of respondents to their survey were confident that they were not utilising vulnerable libraries, a random sample of such applications found that the same number (68%) were in fact found to contain known vulnerabilities.

Whilst Software as a Service and the availability of open-source software can potentially create swifter working practices and improved services for personnel to process their day-to-day tasks, it should be borne in mind the potential vulnerabilities that may lurk inside such software.

Organisations are encouraged to carry out effective due diligence if considering open-source software packages, particularly if organisational networks are connected to such packages.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).