YouTube player

Developers are being targeted in supply chain attacks as more open-source libraries are caught stealing data. Software developers are increasingly being targeted in supply chain attacks. Their machines might have SSH keys providing access to other systems, they might have keys to production systems and company IP. And developers usually have full admin privileges on their machines which makes them an extremely valuable target. Early this month malicious libraries were discovered in the Rust programming language’s crate registry. It is unclear what the goal of the attackers were, and it is suspected that the libraries were discovered in the early stages of a campaign. The libraries were found to have functionality to capture the operating system information and transmit that data to a Telegram channel. Supply chain attacks using malicious open-source libraries have been increasing in recent years. Developers will need to be vigilant and make sure they only download reputable libraries and scan them for known open-source vulnerabilities before using them.

This segment was created for the It’s 5:05 podcast