软件供应链安全关键趋势

Table of Contents A Message from Our CEO4Report Highlights5Executive Summary6Key Trends7 Software Supply Chain Attacks Level Up Crypto: A Canary in the Coalmine for Supply Chain Security7Focus: Crypto in the Crosshairs8The XZ Utils Backdoor10State-Actor Attacks on Development Organizations10 Serious Cyber Risks Lurk in Commercial Binaries10Commercial Binaries: What You Don’t Know Is Already Hurting You10Focus: Commercial Software’s Seven Deadly Sins11 Hack of JAVS Highlights Risks Lurking in Commercial Apps13Implanted Backdoor Delivers RustDoor Malware13JAVS Differential Analysis Exposes Signs of Tampering14Links to Ransomware Groups15Lesson Learned: Don’t Trust, but Verify Commercial Binaries15 The Great Unpatched: Open-Source Risks Persist Vulnerable and Popular: Serious Risks Lurk In Open-Source Packages16Critical and Patch-Mandated Flaws Taint Popular Packages17Mind the Rot19Who Pays for Vulnerable Code? Customers.19Focus: Serious Risks Lurk in Torchvision Python Package21Leaked Secrets Persist on Open-Source Repositories22Development Secrets Leaks Jump 12%22Google, AWS (Still) Fertile Ground for Exposed Secrets23Secrets Leaks a Common Thread in Supply Chain Attacks24GitGot? GitHub Features Exploited by Malicious Actors25Malicious Campaigns Crop Up on NuGet, VS Code25A Drop in Open-Source Malware26 CVEs Lose Relevance 27 Cracks in the NVD EmergeVulnrichment to the Rescue?Imagining a Post-CVE Future 272930 Supply Chain Incidents 2024 What Comes Next32AI/ML Supply Chain Risks Get Real32Organizations Level Up Their Software Supply Chain Security33Nth Party Risk: Thinking Beyond the SBOM33Our Methodology34CVE and Vulnerability Data34Security Policies35OpenSSF Malicious Packages Repository Ratings35Malicious Package Statistics35About RL36 Unaddressed security risks such as these set thestage for bigger attacks in 2025. The questionis: Are we ready to stare them down? The keyto answering that question — and getting ourresponse right — is changing the status quo forsoftware security, which lacks incentives forsoftware producers to secure their software andIT assets, and complicates efforts by end-userorganizations to assess the risks lurking in thesoftware and services their business relies on. A Message from Our CEO SoftwareSupplyChain RiskIs Evolving.Be Prepared. Incidents like recent campaigns by stateactors targeting critical infrastructure andtelecommunications networks underscore theurgency of efforts by both public- andprivate-sector entities to accurately assessthe cyber risks facing them and take propersteps to secure their IT assets and data. To doso, however, both private- and public-sectororganizations need to acknowledge a shift inthreats and attacks, including growing instancesof software supply chain compromises. To help underscore this growing risk, RLresearchers explored the attack vectors andmethods that are favored by both cybercriminaland nation-state actors. Their work providesvaluable insights into the evolving cyber-risklandscape and a useful preview of the kinds ofthreats and attacks that organizations will facein 2025. Mario VuksanCEO AND CO-FOUNDER,REVERSINGLABS Like any good report, our Software Supply ChainSecurity Report also provides recommendationson how to best address those risks: leveling upyour software supply chain security tools andmethods, while also pushing back on suppliersfor more transparency about their securedevelopment practices and any risks that maylurk in both the open source and proprietary codethat powers their solutions. This year’s ReversingLabs Software Supply ChainSecurity Report has a clear message — “Softwaresupply chain risk is evolving” — and a clear moral:“Your organization needs to be ready!” ReversingLabs (RL’s) 2025 report shows thatthe security of software supply chains lags, evenas malicious actors score bigger and biggerwins targeting the commercial and open-sourcesoftware running in homes, businesses, andpowering critical infrastructure. RL’s researchover the past year identified compromises ofopen-source libraries and modules that arewidely used in both the cryptocurrency andartificial intelligence sectors. We also uncoveredwidespread and exploitable flaws in commonlyused open-source packages and third-party,commercial software binaries. I hope you enjoy reading this report. We here atRL look forward to continuing our work helping tosecure organizations from software supply chainthreats in 2025. Report Highlights Software supply chain attacks got more sophisticated in 2024 as malicious actors launched attackson the build pipelines of prominent open-source projects, singled out AI and machine-learningsoftware supply chains, and took advantage of epidemic, exploitable flaws in black-box, commercialsoftware binaries.1 Open-source software risks shifted noticeably. Incidents of open-source malware dropped, whileleaks of developer secrets and other sensitive information rose by 12%, fueling high-profileopen-source supply ch