Special Report on Software Supply Chain Malware

This technical report presents findings on the increasing threat of malicious packages within software supply chains. It outlines the significant rise in malicious package attacks, with a reported 315 percent increase in malicious packages published to npm and RubyGems from 2021 to 2022. The report details various attack vectors employed by malicious actors, including brandjacking, typosquatting, dependency hijacking, and dependency confusion. It also highlights the alarming trend of malicious package exfiltration attacks, with 85 percent of discovered malicious packages capable of unauthorized information transmission. The report further discusses the evolving complexity of applications and the vulnerabilities associated with open-source code. It emphasizes the importance of detecting and mitigating these threats to protect existing code bases, as many organizations may unknowingly harbor malicious packages. The findings underscore the need for enhanced security measures in software development and supply chain management to combat these escalating risks.