Marcus Meissner and Johannes Segitz
End of March 2024 we faced the biggest supply chain attack we seen so far in the Open Source Ecosystem. A dedicated attacker had launched a multi year effort to backdoor the xz compression library.
openSUSE Tumbleweed contained the backdoor for 3 whole weeks before an outside researcher found it.
We will give a report on this attack, our reaction on it and also go into some future considerations to detect or avoid these kind of sophisticated attacks.
End of March 2024 we faced the biggest supply chain attack we seen so far in the Open Source Ecosystem. A dedicated attacker had launched a multi year effort to backdoor the xz compression library.
openSUSE Tumbleweed contained the backdoor for 3 whole weeks before an outside researcher found it.
We will give a report on this attack, our reaction on it and also go into some future considerations to detect or avoid these kind of sophisticated attacks.