Posted 3/31/2024, 2:23:00 PM
Supply Chain Attack Embeds Malicious Code in Core Linux Utility for Years, Highlighting Open Source Security Risks
- Microsoft researcher found malicious code in Linux utility that could allow attackers to break sshd authentication and access systems
- Code was injected through supply-chain attack into widely used XZ compression library maintained by single developer
- Attacker gained trust over years before inserting code, showing sophistication of nation-state level
- Code went undetected for years and could have posed major threat if sshd code ran faster than 600ms
- Rapid response from open source community prevented catastrophe, but highlights risks of maintainer burnout and need for better security practices