Sonatype Offers Its Malicious Source Code Blocker as a Service

Sonatype‘s Repository Firewall, a security code scanner, is now available as a Software-as-a-Service (SaaS), which can be used to help block malicious code from getting into a supply chain early on.

The Repository Firewall, Sonatype claims, scans and evaluates components for potential vulnerabilities and malicious open source code prior to their integration into a company’s development life cycle. Sonatype has scrutinized over 120 million open source components to date. The Repository Firewall has identified approximately 145,000 harmful components, preventing them from infiltrating software development pipelines.

Malicious Code Protection

Sonatype Repository Firewall, according to the company’s press release, delivers best-in-class malware and malicious code attack protection for your development teams through:

• Advanced Protection: Stop attacks at the repository level with automatic quarantining of malicious and suspicious packages.
• Continuous Threat Prevention: Protect your Software Development Life Cycle (SDLC) from evolving malicious open source threats, including vulnerabilities, malware, next-generation supply chain attacks, brandjacking, typosquatting, dependency confusion attacks, and more.
• Fast Remediation: Contextual remediation information identifies why components were blocked and offer alternatives so developers can fix issues quickly.
• Customizable Policy Rules: Automatically control what OSS components are allowed into your SDLC, what to quarantine, and what is released from quarantine.
• Flexible Deployment Options: Cloud, self-hosted, and air-gapped deployment options let you run Sonatype Repository Firewall anywhere.

The service also incorporates Sonatype Nexus Repository, a component, binary and build artifact repository and manager, and Sonatype Lifecycle, which helps safeguard and manage your code pipeline. Additionally, Sonatype serves as the official custodian of the Maven Central Repository, one of the globe’s oldest, largest, and most well-established Java repositories.

The company’s automated detection systems for malicious open source and malware regularly flag hundreds of dangerous packages. For instance, the system detected numerous malicious Python Package Index (PyPI) packages in June 2023. Some employed familiar obfuscation techniques, while others bore the name of the renowned npm “colors” library but contained trojans. These packages primarily targeted the Windows operating system.

Another PyPI package of note, “libiobe”, mimics a legitimate library named “iobes.” This package, analyzed by Sonatype security researcher Carlos Fernandez, targets both Windows and Unix users. It deploys a malicious executable for Windows users and runs minified Python code for Unix users. The latter profiles your system and sends your fingerprinting data to a hostile user.

While the targeted audience or potential victims of these latest hacked packages remain unclear, they serve as a testament to the escalating malicious attacks plaguing open source software registries like PyPI and npm. And, why using a service such as Sonatype Repository Firewall to defend your programming pipeline make good sense.

By IBM’s 2022 Data Breach count, the avenge destructive or wiper attack cost, on average is $5.12 million.