Over 454,600 new harmful software packages, which were cumulatively downloaded 9.8 trillion times, have been discovered across major repositories like PyPI, Hugging Face, NuGet, Maven Central, and npm, last year, according to The Cyber Express.Most of the illicit open source software packages were on npm, where threats grew more complex, including credential theft, multi-step attacks, and the first self-replicating malware, findings from Sonatype's State of the Software Supply Chain report showed. Some actors flooded ecosystems at speed, with one account pushing over 150,000 bad packages in days, while attackers also hijacked trusted projects to spread malware widely. These campaigns succeed by exploiting fast-paced development, where teams add dependencies quickly and often rely on surface signals like names, READMEs, and download counts."Open source will keep powering innovation. The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else's problem," researchers said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds