ReversingLabs.com posted a White Paper that stated that “Hackers are rational actors; they want to accomplish their goals using the least amount of effort possible. Attacking proprietary applications can be hard work. Hackers need to conduct research – ideally by obtaining a copy of the software – then attempt to find weaknesses they can exploit.” The October 14, 2021 White Paper titled “How to Mitigate Software Supply Chain Risk” included these comments:
After years of attacking networks and custom software, enterprising hackers found an easier attack vector and switched to attacking the application development process itself. Even better, attackers need not break into an organization’s source repository. Instead, they simply add their malicious code to common open source projects used by organizations and wait for the developers to add the code to proprietary applications themselves.
For years criminals and hackers have used open source to distribute malicious code. Since anyone can create and distribute open source software, criminals can submit updates to well-known packages hoping maintainers will miss the malicious code, or offer to help with continued maintenance of a project. Even more straightforward is to create a project with a plausibly similar project name that is fully under the criminal’s control. The package can be entirely bogus or a clone of a well-known project but with select hidden malicious characteristics.
By infecting the Open Source, the responsibility for Breach moves onto Application Developers who are no longer an innocent victim but rather unsuspecting accomplices.
No surprise about the risks of Open Source!