Just who is running your favourite project these days?
Joseph Martins Wed 17 Feb 2021 // 20:00 UTC Share
Copy
Sponsored In November 2020, the JavaScript registry npm flashed a security advisory that a library called twilio-npm harboured malicious code which could backdoor any machine it was downloaded to. Perhaps the most troubling aspect of this tale is that this was the seventh such malicious package found on npm within a month, a stark illustration of the effort that cybercriminals are making to insert themselves into the open source software supply chain.
Between February 2015 and June 2019, 216 such Next Generation Software Supply Chain Attacks were recorded, according to Sonatype’s State of the Software Supply Chain Report, 2020. From July 2019, to May 2020, the number shot up to 929. Attacks jumped 430 per cent between 2019 and 2020.
Open source components are the backbone of modern software development organizations. As the popularity of open source soars, so too
do the vulnerable components. When it comes to using open source components to manufacture modern software, the bottom line is this
complete and precise intelligence is critical. Inaccurate or incomplete data will leave organizations to deal with vulnerabilities,
licensing, and other quality issues that lead directly to higher costs and reduced innovation.
As a result, we’ve received many requests to use our data capabilities and insight to surface the most popular open source components
by region and to do a security deep dive on the vulnerabilities that impact them.
New, free tool adds layer of security for the software supply chain techxplore.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from techxplore.com Daily Mail and Mail on Sunday newspapers.