The Dark Side of Open Source

Socket CEO Feross Aboukhadijeh presented at Node Congress earlier this month on the darker aspects of open source, particularly in the npm and JavaScript ecosystems. He dives into some interesting examples of malicious code from recent software supply chain attacks.

What is the Supply Chain?#

It’s not uncommon to see applications where 90% of the code comes from open source dependencies, most of which are not written in house. The average open source dependency has 79 transitive dependencies attached to it.

“In this world where your application is built on thousands of dependencies, software security is not just about your code — it's about every piece of code that you depend on,” Feross said.

"Fundamentally, the problem here is that we're using so many packages but we just don't have the time to read every line of code in our dependencies."

Software supply chains include all of this third-party code, APIs, cloud services, and even dependencies like your operating system.

Open Source Supply Chains Are Under Attack#

"As developers, we’re always trusting other people,” Feross said. “Open source is built on trust, and for the most part, this trust is well-placed." There are a few bad actors who abuse public registries by releasing malicious packages or hijacking legitimate ones.

According to a research paper published in 2021, it was previously taking over 200 days for the security community to detect a malicious package. Socket now has the ability to catch these attempts often minutes after they are published to the public registries. We’re detecting and blocking over 100 of these types of attacks every week.

Feross explained that even after these malicious packages are reported and taken down, they’re often not cataloged or saved in any way. They don’t go into the typical vulnerability tracking systems like the NVD - they just get taken down and then developers don’t know whether or not they may have installed that package in the past. This is something we’re trying to change at Socket.

In this talk, Feross breaks down a few examples of malicious code in supply chain attacks we have seen recently. Check out the video below to get a broader picture of what open source security means and some real world examples of how attackers are exploiting open source dependencies.