Open source maintainer Val Karpov on the xz utils backdoor hack
HTML-код
- Опубликовано: 13 май 2024
- Shortly after the xz utils backdoor hack was uncovered, Tidelift gathered together a group of open source maintainers across the Javascript, Java, and Python ecosystems to hear not only how the xz hack impacted their work (spoiler alert: this attack reverberated across ALL ecosystems, not just in the Linux OS!), but also how it made them feel.
In this clip, we hear from open source maintainer, Val Karpov. Val maintains Mongoose, an ODM (Object Data Modeling) library for MongoDB. Here he highlights why this type of socially engineered attack is nothing new in open source security.
You can watch the entirety of the panel on-demand here: explore.tidelift.com/c/life-a...
Learn more about xz: tidelift.com/resources/xz-bac...
Transcript:
On a different note, there was something I wanted to highlight, which is a similar attack that happened about six years ago and in the Node community. Do you remember the event stream attack, Jordan, from 2018? Another case of a burned out maintainer who handed their project off to someone who had recently created a GitHub profile. It turns out that they basically just published a package that started trying to steal people's Bitcoin keys. The XZ attack isn't anything new. I just think it was executed with like a level of sophistication that is new and quite shocking, frankly, in my opinion. 
Наука
