An attempted sabotage of a widely used software tool has sparked concerns in Washington, D.C. about the vulnerability of the open-source supply chain and the potential involvement of foreign nation-states in covert operations.
A software engineer named Andres Freund, working at Microsoft, uncovered hidden malicious code within two versions of a popular open-source data compression tool on Friday, March 29. These compromised versions had already been incorporated into two editions of the widely used Linux operating system. This discovery initiated urgent efforts by security experts and government agencies to prevent the compromised code, known as Xz, from being exploited for spying or cyberattacks against Linux users. The U.S. government’s primary civilian cybersecurity agency, CISA, promptly issued guidance on addressing the issue.
Swift actions and the targeted nature of the exploit likely averted widespread damage from the hack. Nevertheless, the incident has rattled the cybersecurity community, both for its execution and its implications.
A GitHub user named Jia Tan, whose identity remains uncertain, spent approximately two years establishing credibility within the developer community before exploiting that trust to gain control of Xz. This manipulation of trust even garnered support from at least five other GitHub users who endorsed Jia Tan’s reliability, according to Marc Rogers, a cybersecurity researcher investigatin
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: