[GTALUG] supply chain risks: a real example
D. Hugh Redelmeier
hugh at mimosa.com
Fri Mar 18 11:40:29 EDT 2022
Supply chain risks are important in open source: with so many
contributors, how can one be sure that there aren't malicious components?
(Buggy components are also a threat.)
(Closed source has this problem too, with some variations.)
This is a scary real current example:
<https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/>
As I understand it, this malicious software tried to damage systems
in Russia and Belarus. That's terrible. And it has had unintended
side-effects:
<https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308>
(One could also argue that leaving important information in Belarus, with
no recent backup, is a very dumb.)
More information about the talk
mailing list