That’s a massive increase that’s even higher than previously reported, and one that must be addressed. Google is already on the case, having launched its first rewards program specific to open-source software late last month. But not every company has millions of dollars lying around to pay bug bounties. Here’s what to know about open-source risks and how to dodge them.

Open-Source Cyberattacks Rose Quickly Across the Last Year

Software supply chain management service provider Sonatype came up with its 700% growth statistic by identifying new malicious open-source packages as they pop up. They found 55,000 from the past 12 months, pulling the 3-year total up to 95,000 and marking a 700% rise over the prior period. The types of attacks can vary. Some are “typosquatting,” which refers to a type of social engineering attack that relies on misspelled domains to trick users; others are compromised software packages. We’ve already reported that open-source attacks rose 650% year-over-year in 2021, but these new numbers show that the threat has been growing at a sustained rate across multiple years as well.

Closing Down Open-Source Threats

By definition, open-source code can be created, modified and maintained by anyone on the internet. In theory, anyone can verify whether it’s malicous or not, just by taking a close look at it. So why is it a threat? Because there’s so much it. The sheer amount of open-source software means that no user can verify everything. Companies aren’t able (or willing) to allocate the resources needed to vet software, so they’re in danger of slipping up and downloading the wrong code. Companies like Sonatype aim to reduce these types of attacks with a combination of behavioral analysis and automated policy enforcement. And since manual analysis is tough given the amount of open-source software available, they rely on AI to scan the code. As long as a company has a sturdy firewall, they’ll stay safe. But in the ongoing arms race between cybercriminals and security experts, there’s always the danger that the next malware attack can slip through.