It has been reported that hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites,
Hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites.https://t.co/CppSpiekRX via @ZDNet & @campuscodi
Tim Mackey, Principal Security Strategist at SynopsysCyRC (Cybersecurity Research Center):
“This is the latest in a series of efforts by malicious actors to compromise web sites through their use of open source components. As a background, in the 2019 OSSRA report it was observed that open source components were in use in 96% of the audited applications, and that’s due in large part to the ability for application development teams to focus on their unique code and leave the plumbing and foundation to shared components from the open source community. Malicious actors are taking advantage of this supply chain dynamic to poison components as they enter the development stream where developers are more focused on the code they create than the code they depend upon. Countering this paradigm requires a shift in the way open source components are typically consumed – after all open source has a reputation for providing free software. While an open source component might be free from cost, it’s consumption is not without responsibilities. One of the key responsibilities being engagement with the community creating the software component. Engaged consumers are in a position to ask questions and review changes and updates before consuming them. This review process is critical when adopting components that transmit data for analysis as those are most tempting for supply chain poisoning.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.