Open-source Dangers: Supply Chain Infection

For software security, many people prefer open-source software. It’s usually functional and inexpensive, although it’s not always pretty. It also (generally) has a reputation for being more secure than closed-source software.

But a rash of supply chain attacks have infected many popular open-source projects. Oftentimes the infected code is small and innocuous. As part of a bigger project, though, this malicious code can compromise systems and data.
Several examples of this have happened in the last few years:

  • Webmin – web-based system administration software
  • RubyGems libraries – small pieces of software used in bigger projects
  • VestaCP – server control panel software.
  • Python package – “Colourama”, a copy of a popular Python package
  • Asus – malicious files installed on users systems had legitmate Asus security certificates.

The purpose behind these attacks also varies.

Some attacks (such as the “Colourama” attack) attempt to hijack a user’s cryptocurrency. They do this by watching the user’s clipboard for specific kinds of copy/paste text. These are mostly harmless, unless you use a cryptocurrency, of course.

Other types of malicious code in these software packages may be much more dangerous. The exploits used in the Webmin and some of the RubyGems software allowed remote code execution. Sometimes with root privileges. Pretty much the gold standard of Really Bad Computer Things™.

All this is to say, there is NO safe software

While you should definitely be on guard against suspicious emails, “free” software, and all social media, that’s not enough.

You also need to make sure to update software regularly, update your router regularly, and practice good password sanitation.