Open-Source Cyberattacks Rose 700% Across the Last 3 Years

Open-source threats have been growing at a sustained rate across the last 3 years. Can a firewall really keep you safe?
Adam Rowe

Companies are relying more and more on open-source software code, and hackers are taking advantage. Cyberattacks tied to open-source software have increased a huge 700% across the past 36 months, researchers have found.

That's a massive increase that's even higher than previously reported, and one that must be addressed.

Google is already on the case, having launched its first rewards program specific to open-source software late last month. But not every company has millions of dollars lying around to pay bug bounties. Here's what to know about open-source risks and how to dodge them.

Open-Source Cyberattacks Rose Quickly Across the Last Year

Software supply chain management service provider Sonatype came up with its 700% growth statistic by identifying new malicious open-source packages as they pop up. They found 55,000 from the past 12 months, pulling the 3-year total up to 95,000 and marking a 700% rise over the prior period.

The types of attacks can vary. Some are “typosquatting,” which refers to a type of social engineering attack that relies on misspelled domains to trick users; others are compromised software packages.

“Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever.” -Brian Fox, co-founder and CTO of Sonatype, says to TechRadar

We've already reported that open-source attacks rose 650% year-over-year in 2021, but these new numbers show that the threat has been growing at a sustained rate across multiple years as well.

Closing Down Open-Source Threats

By definition, open-source code can be created, modified and maintained by anyone on the internet. In theory, anyone can verify whether it's malicous or not, just by taking a close look at it. So why is it a threat? Because there's so much it.

The sheer amount of open-source software means that no user can verify everything. Companies aren't able (or willing) to allocate the resources needed to vet software, so they're in danger of slipping up and downloading the wrong code.

Companies like Sonatype aim to reduce these types of attacks with a combination of behavioral analysis and automated policy enforcement. And since manual analysis is tough given the amount of open-source software available, they rely on AI to scan the code.

As long as a company has a sturdy firewall, they'll stay safe. But in the ongoing arms race between cybercriminals and security experts, there's always the danger that the next malware attack can slip through.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free