Without a doubt, many of the online freedoms we enjoy today might not have come about if not for open source code. From Linux to Firefox, much of the online world was built on source code that was freely available for everyone to use and develop in a collaborative, collective endeavor.
But with today’s ubiquity and multitude of open source developers, the Internet may have unwittingly let some snakes into the proverbial garden. According to software security company Checkmarx, open source code can be found in over 90% of apps, making it very difficult to spot and weed out malicious code.
In a press briefing on August 17, Checkmarx called for the software industry to secure its supply chains. Checkmarx’s own head of software supply chain, Tzachi Zornstain, pointed out that developers don’t always have time to closely scrutinize the inner workings of open source code packages.
He warned that bad actors can exploit popular and frequently-downloaded code packages, taking advantage of developers’ trust that other developers who had previously accessed the packages can and should have spotted any irregularities.
“Now we are seeing attackers exploiting this trust. So we are seeing more and more attacks on good packages… so we are seeing this is a trend and not just a one-time event,” Zornstain warned.
Checkmarx found account takeovers to be a fairly common kind of attack. In 2021, for example, the identities of trusted developers in a Russian underground forum were stolen and used to embed password stealers, cryptominers, and other malicious packages within the developers’ trusted open source code.
Other attackers are able to get away with simply naming their malicious packages very closely to trusted packages and faking their credentials, in the hopes of fooling less-than-eagle eyed developers.
Some attack groups have even gone so far as to specialize on just a handful of packages. Checkmarx cites as examples Redlili and Cuteboi, which used custom tools to poison packages en masse. According to Checkmarx, Redlili alone was able to poison 1,500 packages in just a month, with many of these remaining undetected until as recently as August 2022.
There have also been cases of open source code being attacked with the purpose of making a political stand, as in the case of “Protestware” discovered in March 2022 – around the start of the Russia-Ukraine war – that deletes all of a user’s files if they are located in Russia or Belarus.
However, despite the rise of such malicious actors, Checkmarx is quick to affirm the essential benefits of open source code to developers around the world.
“Open source is the right way to develop…The problem that we have right now is that the basic assumption that developers have is if it’s popular and well-used, it will automatically be ok. So we need as an industry to allow developers more tools so they can check that the code they are automatically using is actually safe,” Zornstain explained.
