A backdoor that researchers discovered hiding inside open supply code concentrating on 4 German corporations was the work of an expert penetration tester. The tester was checking shoppers’ resilience in opposition to a brand new class of assaults that exploits public repositories utilized by tens of millions of software program tasks worldwide. But it surely might have been unhealthy. Very unhealthy.
Dependency confusion is a brand new type of supply-chain assault that got here to the forefront in March 2021, when a researcher demonstrated he might use it to execute unauthorized code of his alternative on networks belonging to Apple, Microsoft, and 33 different corporations. The researcher, Alex Birsan, acquired $130,000 in bug bounties and credit score for growing the brand new assault type.
A number of weeks later, a unique researcher uncovered proof that confirmed that Amazon, Slack, Lyft, Zillow, and different corporations had been focused in assaults that used the identical method. The discharge of greater than 200 malicious packages into the wild indicated the assault Birsan devised appealed to real-world risk actors.
Learn 14 remaining paragraphs | Feedback