Question: What type of information can an attacker steal after compromising a developer?
Louis Lang, safety researcher, CTO of Phylum: We have spent a very long time convincing folks they shouldn’t open e mail attachments from unknown senders. We have spent significantly much less time convincing the broader developer neighborhood that putting in packages from unknown sources is a horrible concept.
While phishing campaigns stay efficient, they usually land the attacker in some unrelated a part of the group and nonetheless require a pivot to the ultimate goal. Supply chain assaults reduce to the guts of the group, compromising the developer and their privileged accesses. In some instances, like typosquatting and dependency confusion, these assaults are carried out with out direct communication between the attacker and the developer. There is not any e mail attachment to open for the reason that developer willingly pulls within the code (which incorporates the malware).
So what can an attacker steal in the event that they compromise a developer? Depending on the developer’s place, practically every little thing. Assuming a compromise has occurred, in the best possible case, the attacker could have gained entry to a junior engineer’s machine. We’d count on this engineer to, on the very least, have commit entry to supply code. If the group has poor software program engineering practices (e.g., no code critiques and no limits on who can decide to the principle department), the attacker has free reign to switch the group’s supply code at will; to switch and infect the product that you simply ship to prospects.
In the worst and equally possible case, the attacker will achieve entry to a senior developer with extra privileges. This developer can have entry to supply code, SSH keys, secrets and techniques, credentials, CI/CD pipelines, and manufacturing infrastructure and sure the power to bypass sure code checks. This state of affairs, the place this type of an engineer is compromised, can be devastating for a corporation.
This just isn’t hypothetical, both. Malware packages are routinely being printed into open-source ecosystems. Nearly all of this malware is tailored to exfiltrate credentials and different recordsdata deemed delicate or necessary. In more moderen campaigns, attackers have even tried to drop ransomware instantly onto developer machines as a technique to extort cryptocurrency from the group.
Software builders sit in a privileged place in any technical group. With their upstream entry to the merchandise shipped to prospects and entry to manufacturing methods and infrastructure, they’re the lynchpin in any fashionable group. A failure to defend the developer is a failure of the safety group as an entire and will result in catastrophic penalties.