Supply Chain attacks in the software dependencies

I have mentioned about the hardware supply chain compromises; the software component is lesser known though. The linked write up sheds light on this:

Let’s talk about supply chain attacks and backdoored dependencies

What makes supply chain attacks particularly attractive is that they are cheap and easy to execute as they (most of the time) don’t require exploits, the attack surface is huge, they can have a large reach, with packages downloaded 1M+ times a week for example, and because they allow remote code execution on developers’ machines, the exfiltrated data and credentials can be used to reach even more targets which make them a good way to spread a worm.

The write up is complex for me to understand, but there are many links here to follow through what the author has compiled.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.