Researchers in Germany and France published a paper (PDF) on the preprinted website arXiv, analyzing the open source software supply chain attacks that have occurred over the past few years. There are two types of software supply chain attacks: one is the implantation of malicious code into software products to infect end users, and a well-known example of such attacks is the NotPetya ransomware attack in Ukraine.
The attackers’ intrusion into the update server of Popular Accounting Software in Ukraine, which caused billions of dollars in damage, was one of the most destructive cyberattacks known.
Another example is the malicious version of CCleaner that spread stolicthrough through the website to end users and has been downloaded 2.3 million times in more than a month. Another type of software supply chain attack is the implantation of malicious code into software products’ dependency packages. With the popularity of open source software development models, such attacks are becoming more common.
The researchers analyzed 174 malicious dependency packages found by the npm, PyPI, and RubyGems software management systems and found that 56 percent of packages triggered malicious behavior during installation and 41 percent used additional criteria to determine whether they were running. 61% of malware packages take advantage of name similarities to implant malicious packages into the open source ecosystem. The primary purpose of an attacker is to extract data.