An attempt to backdoor SSH was discovered over the weekend, via a library called xz. Kevin Beaumont wrote a good summary. A lot of people who were experts in bridges and civil engineering last week are now C programming and open source supply chain experts this week. For the vast majority of people, you don't have to do anything. Just wait for the more distractable elements to move on to whatever shiny object they see next while those of us who actually work on this stuff figure out if there's anything new here.
Since this does actually overlap with my own expertise and work, I've written about this in more detail below.
Semi-related, around 170,000 people got hit by a fake Python package. The multi-step attack chain took a while to pull off. Python has become a very popular language, making its ecosystem a juicy target for these kinds of attacks. Soon Microsoft will help you automate these attacks using CoPilot.
If you use JetBrains TeamCity, you need to patch it. It might have a bunch of high severity security vulnerabilities, we don't know. JetBrains won't say. As of March, TeamCity now supports automatic download of security updates, as other software systems have done for years. It won't install them, though. You have to manually approve that happening.
Subscriber Only Content
This content is only available to PivotNine subscribers.
Contact sales today to learn more about our subscription services.
