“I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.” – Elliot Alderson, Mr. Robot

If you’re a software developer, you’re already a target. 

As cyber-attacks continue to grow exponentially worldwide, threat actors have shifted their focus from endpoints and end users to the software supply chain (see SolarWinds, Log4j, and Kaseya). Attackers have come to realize that today’s production environments are way more advanced and difficult to hack than before, making the often unsecured build environments the hot new channel for cybercrime.   

A good analogy is home burglary: when only your front door is well-protected with high-level security locks, an alarm system, and an outdoor camera, burglars will try to break in through an open window.    

Attackers are adding malware-in-disguise to open source repositories by using similar names to the real packages (a practice called ‘typosquatting‘) with the goal of tricking software developers into installing them. As an example, we discovered recently that malicious versions of “Requests” (a legitimate, widely used PyPI library) named as “requesys”, “requesrs”, and “requesr” were found in the repository. Lack of creativity? On the contrary: attackers wanted you to accidentally mistype the “requests” name so that you end up installing their malicious packages containing ransomware.

The Growing Adoption of Open Source

One of the main reasons bad actors are targeting open source is because of its high adoption rate in the last decade. 

If you look at the evolution of a company like Microsoft you’ll notice that they went from hostility towards the open source movement in 1998 to acquiring not only GitHub but recently npm. A company that goes from literally saying “Linux (Read more...)