Security

5005 readers

1 users here now

Confidentiality Integrity Availability

founded 4 years ago

MODERATORS

[email protected]

After XZ Utils, More Open-Source Maintainers Under Attack (www.bankinfosecurity.com)

submitted 6 months ago by [email protected] to c/[email protected]

1 comments fedilink hide all child comments

cross-posted from: https://infosec.pub/post/11143989

Fresh Social Engineering Attacks Resemble Tactics Used Against XZ Utils MaintainerMajor open-source software projects are warning that more pieces of code than XZ Utils may have been backdoored by attackers, based on ongoing supply-chain attack attempts that have targeted "popular JavaScript projects," apparently seeking to trick them into sharing code maintainer rights.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 6 points 6 months ago

I'm kinda glad this happened because I was assuming bad actors were fucking with open source stuff before the XZ stuff came out and now it's on the radar.

Though I wonder if there's any way to automate watching for stuff like this. Like the XZ backdoor involved changing what was supposed to be a bad test file, it would be nice to have a system that treats all input files as immutable and if anything needs to be processed, it goes into a separate output folder plus has a reasoning included as to why the input file needs more processing, especially something that doesn't change from system to system.