How Shady Code Commits Compromise the Security of the Open-Source Ecosystem

Traditionally, concerns over open-source code security have revolved around whether or not open-source code could contain vulnerabilities, backdoors, or hidden malicious code. In recent months, however, Trend Micro researchers have observed a growth in a particular trend: Open-source code is being subjected to modifications to its functionality to express political protest. These instances of so-called “protestware” occur in the form of code changes by certain open-source code maintainers or backers in what could only be surmised as politically motivated or protest-driven acts. While this activity is not new and has been seen in the past, the recent geopolitical situation has divided the open-source community: Some support the trend, while others prefer that the open-source ecosystem remain apolitical, as protestware could jeopardize the trustworthiness of open-source software as a whole.

This type of activity attracted significant attention after the maintainer of an important Node.js supply chain component, node-ipc, altered its code to have destructive behavior. This node-ipc incident happened in March and turned out to be far from being an isolated case. There have been other incidents in the open-source community tied to the ongoing conflicts in Ukraine, Israel, and Palestine, and other geopolitical issues. Users of open-source software therefore need to ensure that the whole supply chain of their open-source software stack is safe and has not been affected by code changes that are not related to the code components’ main functionality. In fact, this is a new concern that IT administrators have to worry about when securing their systems. Now, they also have to think about how politics might interfere with their digital supply chain.

Read more…
Source: Trend Micro