Sonatype Introduces Next Generation Dependency Management | Press Release

blog-logo Sonatype Blog

Malicious Intent: Open Source Developers, Please Protect Your Users

February 14, 2018 By Brian Fox

For the second time in as many weeks we’re seeing the fallout of missteps taken by publishers of open source components. It was just last week that I wrote about the GitHub id of go-bindata being highjacked. We don’t know for certain if the intentions were malicious but the risk was obvious.

Today we are finding that credentials were compromised for an npm component called conventional-changelog and a malicious version was uploaded that allegedly included a Monero cyptocurrency miner. Anyone who built or installed an npm package depending on the malicious package yesterday is now potentially running a miner and worse, potentially distributing it to their downstream users or customers.

A few months ago people were laughing at a parody of a similar situation describing credit card harvesting via a compromised package. It's not so funny any more, is it?

Open source developers typically thrive in creating something used by millions or billions of other people. This is the fuel that drives us and knowing that you’ve contributed, even in some small part, to the lives of millions of users is amazing.

Conversely, knowing that you’ve accidentally inflicted harm on those users through careless practices is probably devastating… yet seemingly not enough people are thinking about this before hand while it’s preventable.

We open source developers and package maintainers are finding ourselves at the front line of the new battle. Attackers have recognized the power of open source in terms of broad distribution and are seeking to use that against us.

We must not let them ruin the reputation of the things we’ve built. Or worse, the entire open source ecosystem.

If you're an open source contributor or package maintainer: Pay attention to your own digital security as you would if you were protecting millions of others. Because you are.

Tags: software bill of materials, open source governance, open source policies, Application Security, devsecops, Software composition analysis

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.