This is a security nightmare: a researcher managed to breach over 35 major companies’ internal systems (including Microsoft, Apple, PayPal, Shopify, and more) in a software supply chain attack. 😱
The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into many companies’ internal applications. The attack vector leveraged a unique design flaw of the open-source ecosystems called dependency confusion.
Thankfully this breach was performed by a white hat security researcher — not a criminal — but the researcher believes there are more vulnerabilities more to discover. 💦
