Why have supply chain attacks have become a daily occurrence?
from dhruv3006@lemmy.world to programming@programming.dev on 31 Mar 04:34
https://lemmy.world/post/44969805

#programming

threaded - newest

unmagical@lemmy.ml on 31 Mar 04:55 next collapse

If you attack the thing that customers use you affect one company.

If you attack the thing that developers use you affect a fuck tonne of companies.

HelloRoot@lemy.lol on 31 Mar 05:15 collapse

Don’t forget the most important part - by attacking you make money in proportion to the amount of people affected.

moonpiedumplings@programming.dev on 31 Mar 05:28 next collapse

Debian Linux, and many other Linux distros, have extensive measures to protect their supply chain. Packages are signed and verified, by multiple developers, before being built reproducibly (I can build and verify and identical binary/package). The build system has layers, such that if only a single layer is compromised, nothing happens and nobody flinches.

Programming langauge specific package repos, have no such protections. A single developer has their key/token/account, and then they can push packages, which are often built on their own devices. There are no reproducible build to ensure the binaries are from the same source code, and no multi-party signing to ensure that multiple devs would need to be compromised in order to compromise the package.

So what happened, probably, is some developer got phished or hacked, and gave up their API key. And the package they made was popular, and frequently ran unsandboxed on devs personal devices, so when other developers downloaded the latest version of that package, they got hacked too. The attackers then used their devices to push more malicious packages to the repo, and the cycle repeats.

And that’s why supply chain attacks are now a daily occurrence.

tal@lemmy.today on 31 Mar 07:11 next collapse

xkcd.com/2347/

<img alt="" src="https://lemmy.today/api/v3/image_proxy?url=https%3A%2F%2Fimgs.xkcd.com%2Fcomics%2Fdependency_2x.png">

The guy in Nebraska probably has fewer resources to protect against you than the sum total of all of the downstream companies that you’re trying to attack.

9point6@lemmy.world on 31 Mar 09:23 next collapse

Because they’re pretty effective currently

MonkderVierte@lemmy.zip on 31 Mar 11:23 next collapse

Because atomic dependencies.

Kissaki@programming.dev on 31 Mar 11:40 next collapse
  • Huge growth in tooling and systems making use of “community” dependencies
  • Fewer safeguards and security guarantees and concerns on these platforms
  • Easy entry into these platforms and systems
  • Huge potential scale-effect through global software development tooling
  • Huge additional potential scale effect through developer and development systems - crossing into other such platforms through local credentials, immediate access to internal tooling, platforms, and systems, and potential to attack other downstream systems and platforms
  • Public knowledge about the attack vectors, attack successes and reporting, and continued opportunity, occurrence, and personal successes, investment, and knowledge
thedeadwalking4242@lemmy.world on 31 Mar 11:59 next collapse

They are easy and effective

BB_C@programming.dev on 31 Mar 12:00 next collapse

how many real-world attacks happened since the XZ fiasco outside of the webshit ecosystem?

grueling_spool@sh.itjust.works on 31 Mar 13:16 next collapse

Is it the attacks themselves that have become a daily occurrence, or the detection thereof?

trackball_fetish@lemmy.wtf on 31 Mar 18:59 next collapse

Because, its easier to catch many fish with a large net than many fish with a small one

dosse91@lemmy.trippy.pizza on 31 Mar 19:36 collapse

Because in web development it is perfectly normal to use 2 frameworks and 1200 random libraries to do the simplest of things. One compromised library will compromise all applications that rely on it directly or indirectly, no matter how small.

I absolutely hate this aspect of web development and frankly I’m scared every time I type npm install