The newest malware vector in open source
As the title for the linked post from Cory Doctorow says, all you have to do is “become an admin on dormant, widely-used open source projects” and then do your thing.
Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive.
Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.
This presents a scary social-engineering vector for malware…
We’ll be talking with Dominic Tarr about the details shared in Issue #116 on event-stream later today on The Changelog (the episode will hit RSS feeds next week).
Chime in below if you’d like to add questions/thoughts to our planned discussion.