This post from Eric Holmes details how package managers can be used in supply chain attacks — specifically, in this case, a supply chain attack on Homebrew — which is used by hundreds of thousands of people, including “employees at some of the biggest companies in Silicon Valley.”
On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core.
If I were a malicious actor, I could have made a small, likely unnoticed change to the
opensslformulae, placing a backdoor on any machine that installed it.
If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers?