The Magic Behind Over 101,000 Malicious Packages Discovered and Blocked

November 08, 2022 By Chris Good

3 minute read time

Nexus Firewall provides industry-leading machine learning by security experts for security experts, detecting suspicious and malicious OSS risks in real-time and at scale before the rest of the world finds out.

Cybercrime and adversaries are getting craftier and more sophisticated with their attacks, placing us amidst a wave of low-cost, high-damage techniques. While hackers used to wait for public vulnerability disclosures to exploit in the wild, they’re now proactively manufacturing vulnerabilities and publishing these into public repositories with no chance of slowing down. With a 742% increase in software supply chain and malware attacks over the last three years, the world that consumes OSS must be proactive to be protected.

How can organizations combat these supply chain attacks that continue to grow in sophistication? It’s more than auditing your repositories for vulnerabilities.

To truly get ahead of supply chain attacks, you must block malicious open source packages before your development organization consumes them.

Sonatype’s repository Firewall is the only solution to detect and block malicious and suspicious open source components from entering your SDLC. Over 101,000 malicious packages have been discovered and blocked using next-generation, proprietary behavioral analysis, and automated policy enforcement. A groundbreaking software supply chain management platform solves the problem of balancing speed, quality, intelligence, and security at scale, equipping engineering teams with the tools they need to code smarter, fix faster, and be secure–all through a single control plane. This is why the world’s leading companies rely on our Nexus platform to prevent risk without hindering developer productivity. Sonatype is able to recognize patterns other solutions can’t, by letting algorithms detect odd behaviors at the time of release, catching attacks that are not known to the world yet.

It’s revolutionary, we know, but how does it work?

Sonatype analyzes the project’s behavior, package namespace, and other project activity using proprietary artificial intelligence algorithms leveraging machine learning for each package released in the most popular ecosystems. These algorithms can detect behavior or contents that are not normal for the project or its’ ecosystem. Each package receives an "Integrity Rating," which determines if the release should be considered Normal or Suspicious.

Packages are marked suspicious when the Sonatype behavioral analysis system flags something out of the ordinary. A package flagged as suspicious may be malicious, and you may wish to wait until further updates.

Critically malicious components are always blocked, and packages deemed suspicious are blocked until they’re confirmed or cleared by Sonatype’s Security Research Team (comprised of 65 world-class professionals with 500+ years of experience.) If cleared, the packages can be automatically released to be consumed by developers, reducing time spent reviewing components and reducing friction.

Nexus Firewall process animation

Think about credit card fraud detection. Credit cards are built around the idea of preventive policing. Let’s say someone steals your credit card, or you fly across the country and try to make a purchase. The security system spots a break in the pattern. Then, the system automatically acts in real-time by stopping a fraudulent purchase and preventing theft.

This is exactly what Sonatype’s repository Firewall can do for you… but for Open Source Software Component activity. We can accurately and preemptively track patterns across multiple industries months before the rest of the world discovers these attacks to ensure that your organization is secure and out of harm’s way.

Now, some OSS components might have risky attributes but are not necessarily harmful to your environment. Vulnerabilities are not inherently malicious but are likely to be used for villainous purposes. In comparison, malicious packages are exclusively used for or associated with malicious activity. Nexus Firewall protects against malicious packages but can also block vulnerable or risky components. We know the difference between malicious and risky, and you can decide what you think is vital for your business.

It doesn’t stop there

We have been detecting, discovering, and disclosing malicious code long before the rest of the world even knows what the malicious code is or even has a name. In fact, we discovered attacks like dependency confusion and typosquatting roughly months before these attacks even had names. Attacks such as dependency confusion, typosquatting, protestware, crypto-mining, and other methods for introducing malicious code into your SDLC can be blocked as soon as they are published, becoming a thing of the past.

You may call this magic, but we call this Nexus Firewall. Sonatype has defined the attacks for the market and will continue to do so into the future.

Tags: Nexus Firewall, Product, Post security/devsecops

Written by Chris Good

Chris is a Product Marketing Manager with Sonatype. Originally from Pittsburgh, PA, Chris studied Communications and Computer Science at the University of Pittsburgh. He enjoys working for Sonatype because of the culture here at the company - it is diverse and promotes creativity.