Over the past two years, I’ve spoken about more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source contributions. These bad actors leveraged the communal nature of open source to their advantage with devastating effect in some instances.
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: https://blog.sonatype.com/next-generation-nexus-intelligence