It has been reported that hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites,
Hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites.https://t.co/CppSpiekRX via @ZDNet & @campuscodi
— Jinson Varghese (@JinsonCyberSec) May 13, 2019
Expert Comments:
Tim Mackey, Principal Security Strategist at Synopsys CyRC (Cybersecurity Research Center):
“This is the latest in a series of efforts by malicious actors to compromise web sites through their use of open source components. As a background, in the 2019 OSSRA report it was observed that open source components were in use in 96% of the audited applications, and that’s due in large part to the ability for application development teams to focus on their unique code and leave the plumbing and foundation to shared components from the open source community. Malicious actors are taking advantage of this supply chain dynamic to poison components as they enter the development stream where developers are more focused on the code they create than the code they depend upon. Countering this paradigm requires a shift in the way open source components are typically consumed – after all open source has a reputation for providing free software. While an open source component might be free from cost, it’s consumption is not without responsibilities. One of the key responsibilities being engagement with the community creating the software component. Engaged consumers are in a position to ask questions and review changes and updates before consuming them. This review process is critical when adopting components that transmit data for analysis as those are most tempting for supply chain poisoning.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.