Malicious open-source software packages have significantly increased in 2024, with over 500,000 new malicious packages identified since November 2023 across popular registries like Java, JavaScript, Python, and .NET. Sonatype reports 70% of around 700,000 tracked malware packages since 2019 are new
Enterprises are challenged by the quality of open-source components, with each application having 180 third-party components on average, leaving over 80% of vulnerable dependencies unpatched for more than a year. Malware in open source can lead to supply-chain compromises, with various malicious purposes like phishing, stealing sensitive data, deploying backdoors, and cryptocurrency mining. Organizations face difficulties in managing vulnerabilities inherited from dependencies, especially with varying severity ratings and unreliable vulnerability information sources. Adopting SBOMs can help reduce risks and speed up vulnerability fixes, but only a fraction of newly released components have them, leading to increasing average time to fix vulnerabilities across all severity levels. ```https://www.csoonline.com/article/3560646/malicious-open-source-software-packages-have-exploded-in-2024.html