The original post was made on 12 May 2022
Update 24 May 2022
Python is a popular coding language and many code libraries exist to make the programmer’s life a little easier. But as indicated in the articles below if that open source code becomes popular, then it also becomes a target for skilled threat actors to add their own poison pill.
Here is a real world example from SANS, researched by Yee Ching, looking at some extras added to a python package. If used by a programmer as part of a legitimate software app, the AWS credentials (among other bit of information) of any subsequent user could be stolen.
ctx Python Library Updated with “Extra” Features – SANS Internet Storm Centre
Update 18 May 2022
Here is action that Google is taking to secure the open-source supply chain. For Google itself, having a secure supply of Linux servers with an OS that can be depended is essential for their worldwide operation – and the rest of us benefit from this as well.
Google’s got a plan to secure software supply chains • The Register
Original Post 12 May 2022
Over the past few months, the dependency of mainstream software on open source code has been exposed – the Log4j vulnerability and various exploits are probably the most prolific example.
Here are a couple of articles that look at the issues and the mitigations:
Shared success in building a safer open source community (blog.google)
Backdoor in public repository used new form of attack to target big firms | Ars Technica