They are easy and effective
- Huge growth in tooling and systems making use of “community” dependencies
- Fewer safeguards and security guarantees and concerns on these platforms
- Easy entry into these platforms and systems
- Huge potential scale-effect through global software development tooling
- Huge additional potential scale effect through developer and development systems - crossing into other such platforms through local credentials, immediate access to internal tooling, platforms, and systems, and potential to attack other downstream systems and platforms
- Public knowledge about the attack vectors, attack successes and reporting, and continued opportunity, occurrence, and personal successes, investment, and knowledge
Is it the attacks themselves that have become a daily occurrence, or the detection thereof?
how many real-world attacks happened since the XZ fiasco outside of the webshit ecosystem?
Because they’re pretty effective currently
Because atomic dependencies.
Debian Linux, and many other Linux distros, have extensive measures to protect their supply chain. Packages are signed and verified, by multiple developers, before being built reproducibly (I can build and verify and identical binary/package). The build system has layers, such that if only a single layer is compromised, nothing happens and nobody flinches.
Programming langauge specific package repos, have no such protections. A single developer has their key/token/account, and then they can push packages, which are often built on their own devices. There are no reproducible build to ensure the binaries are from the same source code, and no multi-party signing to ensure that multiple devs would need to be compromised in order to compromise the package.
So what happened, probably, is some developer got phished or hacked, and gave up their API key. And the package they made was popular, and frequently ran unsandboxed on devs personal devices, so when other developers downloaded the latest version of that package, they got hacked too. The attackers then used their devices to push more malicious packages to the repo, and the cycle repeats.
And that’s why supply chain attacks are now a daily occurrence.
The guy in Nebraska probably has fewer resources to protect against you than the sum total of all of the downstream companies that you’re trying to attack.
If you attack the thing that customers use you affect one company.
If you attack the thing that developers use you affect a fuck tonne of companies.
Don’t forget the most important part - by attacking you make money in proportion to the amount of people affected.
