Mend.io Finds Over 80 Percent of Malicious Packages in Existing Code Bases Capable of Data Exfiltration

New Report on Malicious Packages Shows Exponential Threat of Application Infiltration

TEL AVIV, Israel and BOSTON – April 11, 2023 – Mend.io, a leader in application security, released findings today from its latest report “Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities” which illustrates the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent. Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications.

What’s Living in Your Code Base? 

Using its latest feature enhancement, 360° Malicious Package Protection, Mend.io detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed.

“Understanding the potential threats out there is just as important as maintaining software best practices, including updating software dependencies regularly, tracking components being implemented into your software, and doing continual software testing,” said Rami Sass, CEO and co-founder, Mend.io. “As long as open source means open, the door’s left open to bad actors, which is why it’s critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and cannot be taken lightly.”

While less than four percent of packages were protestware, the trend gained a lot of attention over the past year with incidents of protestware connected to the Russia and Ukraine war. Global enterprises should be wary of this risk, as it will certainly evolve and mature as other conflicts arise.

Leveraging Opportunity 

When it comes to applications, threat actors are always quick to jump on new attack methods, and they clearly see malicious packages as a golden opportunity. Alongside this, there’s been a jump in monthly attacks between 2021 to 2022, as Mend.io research noted a sharp increase in overall numbers starting in October 2021. Case in point: 13 attacks were detected in January 2021, while 530 were detected in January 2022, a 190 percent increase. January 2023 numbers create even more concern, as several spam attacks pushed the monthly tally to 59,919.

“The issue of malicious packages is only going to continue to grow, as the year over year trend shows. Detection of malicious open source software and prevention of it entering registries and repositories is critical, on top of exposing lurking packages living in existing code of built and released applications,” said Jeffrey Martin, VP product management, Mend.io. “We recognize the importance and value of this to our customers, and in fact, we launched a feature that detects malicious packages within existing applications. At Mend, we provide a complete solution that enables companies to face the challenge of malicious packages head on by enabling identification of those already in your code base plus the ability to proactively and automatically block new malicious packages from entering your code base.”

About the Report

The report examines data from the 360 degree protection feature within Mend.io Software Composition Analysis (SCA) as well as data from Mend.io Supply Chain Defender, a solution that helps enterprises defend the software supply chain. Supply Chain Defender has scanned almost 12.6 million packages since 2020.

To download a full copy of the report, visit here.

About Mend.io

Trusted by the world’s leading companies, including IBM, Google, and Comcast, Mend.io offers a full-spectrum application security platform designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.