This year presented even more challenges to ensuring the integrity and security of open source ecosystems. Open source has been the biggest boon for developers as virtually anyone can use and customize it, usually at no cost, and contribute to the community. What was a way to ensure greater transparency, security and to promote developer collaboration between projects also paved the way for opponents to profit from the cause.
As a security researcher, I have encountered and analyzed incidents this year where over 700 typo-squatting RubyGems packages were used for nothing other than bitcoin mining. Then there’s the popular case of Octopus Scanner, malware that has silently injected its tentacles into at least 26 GitHub projects. These incidents underscore the fact that any open system accessible to the public is also accessible to adversaries and subject to abuse.
The above examples focus on malicious components. What about legitimate open source packages with security vulnerabilities that go unnoticed?
A vulnerable or malicious package that ends up in popular repositories, and possibly in your software supply chain, can wreak havoc on your customers. Vulnerable and malicious components have been detected in popular open source repositories such as npm, PyPI, NuGet, and Fedora.
“Over the past few years, we have found that in terms of the total vulnerabilities identified in open source packages across ecosystems, Node.js and Java have traditionally shown the highest number of new vulnerabilities each year,” said the authors of Snyk’s State of Open. Source Security Report 2020.