Two different attackers poisoned popular open source tools – and showed us the future of supply chain compromise
Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won’t know the full blast radius for months.
Both targeted popular open source projects that are used by a ton of organizations and integrated into countless software products, apps and developer environments.
First, attackers hit Trivy, a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Up next: Axios, an open-source JavaScript library that has about 100 million weekly downloads and runs in 80 percent of cloud and code environments.
Read more at The Register