Supply chain attacks are gaining popularity and we wanted to examine, from an attacker’s point of view, the difficulty of poising OSS packages. We found many alarming practices that hold back the security community from detecting those attackers.
This is an invitation and a wake-up call for researchers to start examining new developments in the field of OSS. This field is wide open and susceptible for almost anyone who would want to take advantage of the current state of affairs. For researchers, it is unchartered territory with the possibility to make major advancements with small tools and practices to improve the ecosystem’s ability to face these threats that will most certainly grow and develop.