Google is offering protection from malicious packages for free

Google Assured Open Source Software (Assured OSS), a new service that protects open-source repositories from supply chain attacks, is now available for everyone.

One year after initially announcing the service, Google launched it into general availability earlier this week, and amid speculation around its pricing, has made the surprise decision to offer it for free. Those interested in giving Assured OSS a try only need to register a new account.

Today, software development relies heavily on open-source code. Developers from all over the world create code snippets which are then shared with the wider development community through repositories such as GitHub, PyPI, and others. That allows other developers to take that code and implement it in their solutions without needing to spend excessive hours building elements from scratch.

Abusing good intentions

However, this also presents a unique opportunity for threat actors. If they break into developer accounts, they can modify the existing packages with malicious code. If that malicious code ends up being integrated in multiple solutions, it opens numerous doors for hackers to steal sensitive data, deploy stage-two malware, and more. 

Even if they don’t break into accounts, hackers often engage in typosquatting, creating packages that look almost identical to legitimate ones. That way, overworked developers, or those pressed for time, may mistakenly download the wrong package and thus compromise their products. 

Known as a “supply-chain attack”, this has become a fairly common vector of cybercrime in recent years. Last year, for instance, Sonatype reported that between 2019 and 2022, there had been more than 95,000 new malicious packages, with 55,000 in 2021 alone. This amounted to 700% increase in repository attacks over those three years.

“Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever,” said Brian Fox, co-founder and CTO of Sonatype. 

He added, “stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

Now, Google says it will keep the libraries updated and constantly scanned for known flaws. It will also run fuzz tests to look for new vulnerabilities, and engage in developing fixes. 

Via: TechCrunch