Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
September 20, 2024
A new survey from Tidelift highlights a grim reality that we already knew and would rather not confront: The security of the world’s most critical software hangs on a small number of solo maintainers, the majority of whom are unpaid volunteers.
The report includes insights from 437 respondents who maintain at least one open source project. Despite the clarion call for better maintainer support following incidents like xz-utils and the Log4j vulnerability, 60% of maintainers are still not paid for their work, a finding that mirrors the stats from last year.
The maintainers who are professional or paid for their work are more likely to have help, where more than half of them have two or more co-maintainers. Tidelift found that unpaid maintainers are more likely to be flying solo, with 61% reporting that they maintain their projects alone.
Tidelift’s 2024 findings echo other industry voices that have been working to draw attention to the reality of the solo open source maintainer. In April, Josh Bressers, VP of Security at Anchore, gave a presentation on the mind-boggling size of open source.
“There are A LOT of organizations (governments, foundations, companies) that are trying to create rules and regulations for open source use,” Bressers commented on Mastodon. “And none of them understand how huge it is. And it's not just the size, it's also growing faster than we can possibly keep up (for example there are more than 9000 releases every day. Good luck auditing that).”
In 2022, Bressers responded to a GitHub issue, where OpenSSF was attempting to define a “healthy number” of open source maintainers for OpenSSF projects, with a candid reality check.
“There have been 28 million npm package releases (this is all packages times all versions),” Bressers said. “Of all those releases, 16 million (that is not a typo, 16 with six zeroes) have one maintainer.
“It's very easy to argue that more maintainers is better, but if we want to start pushing a narrative that one maintainer is bad, there's no way to find the millions of developers needed to fill in the gaps.”
While some participants in the discussion said 2+ maintainers is aspirational, the reality is so far from that goal that it seems almost unattainable for many projects. This is especially true for the npm ecosystem where smaller modules are much more common.
“A vast number of OSS projects are single maintainer, and it's not really something the maintainer can fully control - you have to convince others to join,” David Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation, said. “So ‘1 maintainer project’ is a higher risk, but it's not automatically an indicator that the project is poorly run.”
Bresser’s 2024 presentation on the magnitude of open source concludes with two statements that are worth pondering:
There’s nothing wrong with open source, this is how it works.
There’s something wrong with what we expect from open source.
Not much has changed in the last year since Tidelift published its 2023 survey data. Solo open source maintainers are still far and away the most common structure for projects, and the majority of them are still working on a volunteer basis.
Tidelift’s 2024 data sparked more conversation on Mastodon about how many people are actually maintaining the world’s most important software. Using data from Ecosyste.ms, Bressers estimated that there are 1.4 million unique maintainers (those who have the authority to publish or update a package on a package manager).
This is a relatively small number of people when measured against the sheer volume of open source packages and the growing dependency ecosystem that powers modern software.
Ecosyste.ms creator Andrew Nesbitt estimates the number of unique maintainers is even smaller for the critical packages, those that get 80% of all usage within their ecosystems. With these filters in place, there are an estimated 10K people who are supporting the majority of the world’s open source software users.
“Fundamentally there aren't as many developers/maintainers/whatever as everyone thinks there are, and I suspect the current open source developer number is below the number needed for a sustainable population,” Bressers commented.
”I think very successful open source projects like curl and linux have skewed narrative of how open source works. Most projects are one overworked, undervalued, and nearly burnt out person.”
It’s no surprise that Tidelift’s survey found that paid maintainers create more secure software. When asked what improvements maintainers have made to their projects as the result of getting paid for their work, 52% reported that they are better able to research and respond to security issues and bugs, and 51% report improving their project’s secure development practices. 45% of respondents also reported having more time to prioritize remediating vulnerabilities that impact the project or its dependencies.
Paid maintainers are more likely to implement critical security practices, across nearly every category, than unpaid maintainers:
Unpaid maintainers’ willingness to implement critical security practices jumps much higher (over three quarters) if they were being paid for the work, like static code analysis (81%), two-factor authentication (80%), providing fixes and recommendations for vulnerabilities (80%), providing a security disclosure plan (79%), and providing signed releases and published artifact provenance (75%).
Both paid and unpaid maintainers report spending more time on increasing security demands, but in the wake of the xz-utils incident two-thirds (66%) said they are less trusting of pull requests from non-maintainers. More than 1/3 (37%) report that they are also less trusting of contributions from their co-maintainers or feel the need to vet them more carefully. This makes the maintenance burden even more labor-intensive.
At the same time, nearly half of maintainers surveyed feel under appreciated (48%) and like the work is thankless. This year 50% of maintainers reported not being financially compensated enough for their work. The vast majority of maintainers prefer receiving a predictable, monthly income (81%) vs a one-time lump sum (7%). Most are not getting either.
One of the most sobering stats from the 2024 survey is that 60% of maintainers have quit or considered quitting their maintenance work, up 2% from the previous year.
“Users can be so entitled,” one respondent said, “‘Why haven't you merged/fixed this? This project is dead.’ No, I have debts, a full-time job, a young family, my parent just died, and my wife has a serious medical issue. I have already sunk thousands of hours into this project, I don't have time to deal with this right now.”
This survey bears several strong indicators that the state of open source sustainability remains precarious, with the majority of maintainers still unpaid and facing increasing demands, particularly around security. The possibility of an xz-utils style backdoor supply chain attack is now firmly lodged in maintainers’ consciousness, adding a heightened level of caution and stress to what is already a heavy burden.
“To be honest, there's a lot that is troubling here,” Tidelift co-founder Luis Villa said. “Maintainers continue to be burnt out and under-appreciated. We've now had multiple years of White House summits, and an entire EU legislative process, on FOSS security. And yet the same number of maintainers are building software without being paid to do it: about 60% of them. In no other part of the global economy do we expect volunteers to solve our problems—but apparently that's what we're doing here, now.
“As with everything else, xz has passed and gone in a flash—everyone in the industry read an email saying ‘I’m burnt out and unpaid, here are the keys to the kingdom.’ And yet our survey data suggests that, if anyone is trying to solve the problem, maintainers aren't seeing the solutions yet.”
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.