Software packages are a popular means to distribute open source and third-party software. They are often pulled from an outside source through a package manager or installer program, and they typically include source code, libraries, documentation, and other files needed to build and run the software.
A malicious package contains malware disguised as a legitimate package, and it is intended to infiltrate and infect software. Once a malicious package’s malware enters a system, it can potentially steal sensitive data, disable security software, modify or delete files, and even take over an entire system or network for its own nefarious purposes.
Unlike code weaknesses and vulnerabilities—which can exist in software for months or years without being exploited—a malicious package is almost always a direct and immediate threat that you need to address, especially when it comes to the software supply chain. According to Gartner, 45% of organizations worldwide have experienced attacks on their software supply chains, a three-fold increase from 2021. Attackers have found that supply chains offer a near-limitless attack surface that can be vulnerable through automatic software updates, software-as-a-service (SaaS) tools, the cloud, and even AI-generated false information (popularly known as “hallucinations”) that can be exploited to trick developers into downloading malicious packages.