Poisoned Open Source and the Future of Supply Chain Attacks

Two supply chain attacks last month infected open source tools with malware and used them to steal secrets from tens of thousands of organizations.

These tools are integrated silently into software that an unknown number of users use.

One of them is Trivy, a vulnerability scanner that is integrated into thousands (or more) of development pipelines to scan for bugs.

The other is Axios. I wrote about that attack recently. Axios has about a hundred million weekly downloads.

The two attacks were orchestrated by different groups. The common thread is the thought that if they can compromise this one piece of software, they have hit the malware Powerball jackpot.

With AI tools like Claude Mythos and available source code for open source projects, assume that attacks like this will be the new norm. In fact, they don’t even really need Mythos. In the case of the Axios attack, they compromised a developer’s account, which allowed them to submit code changes, so there are multiple avenues to launch attacks.

The problem that development teams have right now is that without Software Bills of Materials (SBoMs), development teams don’t even know what is in their software and whether the version has been compromised. Think of it this way. You are deathly allergic to peanuts but no food that you have available to eat has a list of ingredients on it. That is what developers deal with every day.

When these attacks happen, the attackers capture tens of thousands of credentials and an unlimited about of data.

Are you prepared? If not, contact us. Credit: The Register

by