Its Nexus Intelligence research engine now automatically detects counterfeit and malicious code injections into open source software supply chains
The patent-pending technology can monitor millions of open source projects in real-time to identify abnormal development behaviour and suspicious patterns as new component versions are released.
In the past two years, the company has found more than 20 instances of adversaries publishing malicious components into public open source and container repositories.
Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors and even deliver targeted patches to alter proprietary code, it said.
“By combining a new type of behavioural analysis with machine learning and proprietary data, Nexus Intelligence now recognizes when new releases of an OSS project demonstrate heightened risk attributes. Infused with this new type of intelligence, the Nexus Platform is enabling innovative policy controls to protect organizations from emergent supply chain threats,” said Brian Fox, CTO of Sonatype.
In addition to identifying malicious activity based on commit behaviour, Sonatype’s expanded Nexus Intelligence capabilities also collect real-time metadata pertaining to the quality of new component version releases.
This will enable developers to automate and scale dependency management with ease.
Combating Malicious Attacks
New versions of open source components are being released every day at an overwhelming pace.
According to Sonatype, approximately 20,000 component updates are made per day, making it impossible for most teams to manually manage dependencies.
In addition, open source project code impacted by the malicious injections have been difficult to detect because they look very similar to regular open source code contributions.
Sonatype claims its next generation Nexus Intelligence will automate this otherwise painful process and help developers update to the best and newest versions of component releases.
“While stopping malicious attacks is critical, what people don’t always recognize as just as important, is the inherent risk associated with each update to a new version of a component. Or, the risk of not updating,” said Fox.
“Whether you’re concerned about malicious attacks or the quality of the release you’re updating to, we’re working on providing a proactive level of risk protection that is unparalleled. Every other open source security vendor can only provide reactive assistance,” he added.
The first iteration of Sonatype’s new Nexus Intelligence capabilities will focus on understanding the commit behaviours and patterns of npm components and creators. The company plans expanding to additional languages over time.