Although thousands of software packages and repositories have been compromised by numerous malware attacks targeting open source software components, it is more difficult to measure the actual harm these attacks have caused to organizations This article explores vulnerabilities threat. . For organizations, the long-term and indirect costs of these attacks might be the most important.

Open source software and components have long been known to pose a threat. Because of their extensive use and the wide range of support levels among various projects, which is partly due to the community upkeep that many of them require, serious vulnerabilities (and threat campaigns) can occasionally evade detection. Both the more recent React2Shell vulnerability from late last year and the devastating Log4Shell vulnerability from 2021 come to mind.

This occurs but is uncommon on a large scale, in part because of the quick response of the defense and in part because of the incompetent attackers (he cites the Qix attack as an example). Secondary harm is more frequent and occurs when developers must invest time and resources to clean up after minor damage. Even more frequent is indirect harm, where workers must expend resources protecting themselves from new threats whether or not they are at risk.

Associated with:Bugs in Google Looker Permit Cross-Tenant RCE, Data Exfil "Organizations must still perform some degree of incident response even when there is known malicious content.

Security teams must, at the very least, evaluate the risk to their organization by attempting to comprehend the threat and looking into any indications of its impact," he says.