A new research paper published in support of the Ph.D: Continuous Verification of Open Source Components in a World of Weak Links https://ieeexplore.ieee.org/abstract/document/9985184 Abstract:
We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major im-plications for organizations. The widespread adoption of open source (99% of today's software utilizes open source), the ease of today's package managers, and the best practice of implementing continuous delivery for software projects provide an unprece-dented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligenc