Supply Chain Hacks

Ben Smith gave a talk at Aloha Ruby Conference in 2012 entitled Hacking with Gems. The talk includes several examples abusing ruby gems for malicious purposes. His talk was an early warning about software supply chain attacks which have since occurred in real life. youtube

2016: How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript the register

Azer Koçulu unpublished more than 250 of his modules from NPM, including leftpad.

2019: Hacker Infects Node.js Package to Steal from Bitcoin Wallets article

The event-stream module was originally by Dominic Tarr, who maintained the library before handing the reins to a project contributor who goes by the handle “right9ctrl.” Tarr indicated that he has not used the module for years and transferred its ownership after he received an email regarding its maintenance. The new maintainer has since released event-stream version 3.3.6, with a new dependency called “flatmap-stream” that contained the malicious code.

2020: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor article

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.