A Sonatype study showed that next-generation software supply chain attacks have risen by 650% during the past 12 months, with attackers poised to persist in aiming attacks at upstream software supply chain assets to enable at-scale exploitation of downstream victims, VentureBeat reports.
Dependency confusion incidents were the most prevalent software supply chain attacks in the previous year, followed by typosquatting and malicious source code injections, according to the report.
"[Dependency confusion] involves figuring out the names of internal packages for a particular company’s application and then publishing a package with the same name but a higher semantic version of a package already in use," said Sonatype Executive Vice President Matt Howard.
Meanwhile, researchers also found that more popular open source projects had disproportionately more security flaws.
"This stark reality highlights both a critical responsibility and opportunity for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions," Howard said.