{"id":74498,"date":"2022-03-22T09:03:00","date_gmt":"2022-03-22T13:03:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=74498"},"modified":"2026-01-26T17:36:30","modified_gmt":"2026-01-26T15:36:30","slug":"the-open-source-supply-chain-under-assault-new-defenses-are-required","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/the-open-source-supply-chain-under-assault-new-defenses-are-required\/","title":{"rendered":"The Open-Source Supply Chain Under Assault \u2013 New Defenses Are Required"},"content":{"rendered":"

For those who\u2019ve been working in the world of information security over the last two decades have likely taken note of attacker Tactics, Techniques, and Procedures (TTP), and how they\u2019ve evolved over time. Let\u2019s take a closer look at what\u2019s changed.<\/em><\/strong><\/p>\n\n\n\n

The Evolution of TTP<\/h2>\n\n\n\n

In the very beginning of cyberattacks, attackers would spend time creating self-propagating viruses and worms to exploit vulnerable operating systems and desktop applications. For example, the \u201cI Love You\u201d virus, which dates back to the year 2000, infected over ten million computers worldwide. Names like Code Red, SQL Slammer, Sobig, MyDoom, Netsky, Stuxnet, Zues, and so on, made headlines all over the globe. As a result, antivirus companies proliferated, holes were plugged in operating systems, devices and perimeters were hardened, bug bounties were initiated, and many of these TTPs were defeated.<\/p>\n\n\n\n

During much of this same period, a new genre of TTPs emerged in concert with these highly successful malware examples, and phishing became the new name – of an old game. Since perimeter and workstation defenses were somewhat difficult to overcome from the outside-looking-in, attackers knew that if they could fool someone into clicking on a link in an email, back doors could be opened, and perimeter defenses may well be defeated.<\/p>\n\n\n\n

Therefore, a whole new generation of malware surfaced in the form of ransomware and botnets. For example, names like Locky, Tiny Banker Trojan, Mirai, WannaCry, Petya, and many more were the next malware variants to gain notoriety. Email phishing defenses, spam detection systems, employee email phishing training, etc. proliferated and helped defeat some of these attacks.<\/p>\n\n\n\n

As a result, attackers likely began to conclude, \u201cIf we can infect a software supply chain, our malware proliferation and victim count could grow exponentially.\u201d And in December of 2020 they did just that. The SolarWinds supply chain attack took place, leading to both government and enterprise data breaches that made headlines worldwide. However, the SolarWinds\u2019 attack was leveraged against a commercial software supply chain and was not necessarily focused on what is called the open-source supply chain<\/em><\/strong>.<\/p>\n\n\n\n

Why Supply Chain \u2013 Why Now?<\/h2>\n\n\n\n

Today\u2019s attackers realize that infecting the supply chain of open source libraries, packages, components, modules, etc., in the context of open source repositories, a whole new Pandora’s box can be opened. And as we all know, once you open that box, it\u2019s nearly impossible to close. In fact, Checkmarx leadership saw this coming. Back in December of 2019, Maty Siman, Founder and CTO of Checkmarx contributed to this predictions blog.<\/p>\n\n\n\n

Maty wrote, \u201cWith organizations increasingly leveraging open-source software in their applications, next year, we\u2019ll see an uptick in cybercriminals infiltrating open-source projects. Expect to see attackers \u2018contributing\u2019 to open source communities more frequently by injecting malicious payloads directly into open source packages, with the goal of developers and organizations leveraging this tainted code in their applications.<\/p>\n\n\n\n

As we see this scenario unfold, there will be a growing need for processes like developer and open-source contributor background checks [contributor reputation]. Currently, open-source environments are based entirely on trust – organizations typically don\u2019t vet developers\u2019 past projects or reputations. However, as attackers take advantage of open source projects, this trust will begin to erode, forcing organizations to take proactive mitigation steps by thoroughly vetting the open-source code within their applications, as well as those providing it.\u201d<\/p>\n\n\n\n

So, as we see here, Maty Siman was spot on. Not only did Checkmarx see attacks on the open-source supply chain coming, in fact, they did something about it by acquiring<\/a> Dustico in August of 2021. Now, TTPs like dependency confusion, typosquatting, repository jacking (aka ChainJacking), and star jacking are the new name of the game. In fact, Checkmarx just released a new white paper today, Introduction to Supply Chain Attacks<\/a>, explaining how these attacks actually work.<\/p>\n\n\n\n

Landscape Changer: Checkmarx Supply Chain Security<\/h2>\n\n\n\n

As a result of Maty\u2019s predictions (which did come true, by the way), and their proactive stance on defeating supply chain attacks, Checkmarx just announced a new arrow in the quiver of enterprise-class, open-source supply chain defenses. Checkmarx SCA with Supply Chain Security (SCS) is now available, and the solution sets an entirely new bar for all SCA solutions.<\/p>\n\n\n\n

Checkmarx is first to market with supply chain defenses organizations need now which include:<\/p>\n\n\n\n