Query: What sort of knowledge can an attacker steal after compromising a developer?
Louis Lang, safety researcher, CTO of Phylum: We now have spent a very long time convincing individuals they shouldn’t open electronic mail attachments from unknown senders. We now have spent significantly much less time convincing the broader developer neighborhood that putting in packages from unknown sources is a horrible thought.
Whereas phishing campaigns stay efficient, they typically land the attacker in some unrelated a part of the group and nonetheless require a pivot to the ultimate goal. Provide chain assaults reduce to the center of the group, compromising the developer and their privileged accesses. In some instances, like typosquatting and dependency confusion, these assaults are carried out with out direct communication between the attacker and the developer. There isn’t a electronic mail attachment to open for the reason that developer willingly pulls within the code (which comprises the malware).
So what can an attacker steal in the event that they compromise a developer? Relying on the developer’s place, practically all the things. Assuming a compromise has occurred, in the very best case, the attacker might have gained entry to a junior engineer’s machine. We’d anticipate this engineer to, on the very least, have commit entry to supply code. If the group has poor software program engineering practices (e.g., no code opinions and no limits on who can decide to the principle department), the attacker has free reign to change the group’s supply code at will; to change and infect the product that you just ship to clients.
Within the worst and equally probably case, the attacker will achieve entry to a senior developer with extra privileges. This developer can have entry to supply code, SSH keys, secrets and techniques, credentials, CI/CD pipelines, and manufacturing infrastructure and sure the power to bypass sure code checks. This state of affairs, the place this sort of an engineer is compromised, could be devastating for a corporation.
This isn’t hypothetical, both. Malware packages are routinely being printed into open-source ecosystems. Practically all of this malware is tailored to exfiltrate credentials and different information deemed delicate or necessary. In newer campaigns, attackers have even tried to drop ransomware straight onto developer machines as a technique to extort cryptocurrency from the group.
Software program builders sit in a privileged place in any technical group. With their upstream entry to the merchandise shipped to clients and entry to manufacturing methods and infrastructure, they’re the lynchpin in any fashionable group. A failure to defend the developer is a failure of the safety group as a complete and will result in catastrophic penalties.
