Farash Abugadije

Yeah, so I think the XZutils backdoor was really eye-opening to a lot of developers. It showed the vulnerability of the open-source ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years, who was targeted by nation-state actors. who created like literally, it's like a spy movie, right?

Yeah, so I think the XZutils backdoor was really eye-opening to a lot of developers. It showed the vulnerability of the open-source ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years, who was targeted by nation-state actors. who created like literally, it's like a spy movie, right?

They had multiple personas, fake personas that were contacting this poor maintainer and working on him psychologically to convince him over the course of two years to add them to the repository and give them publish permissions. And they did this through a bunch of kind of negative messages, but also by being helpful and by sending good positive pull requests.

They had multiple personas, fake personas that were contacting this poor maintainer and working on him psychologically to convince him over the course of two years to add them to the repository and give them publish permissions. And they did this through a bunch of kind of negative messages, but also by being helpful and by sending good positive pull requests.

And what they were able to do is get access to this package. This is built into pretty much every Linux server out there. And what this would have let them do is it would let them SSH into any server and run any command without knowing the password, without being authenticated to the server. So this would have been like a world ending, potentially kind of an attack, right?

And what they were able to do is get access to this package. This is built into pretty much every Linux server out there. And what this would have let them do is it would let them SSH into any server and run any command without knowing the password, without being authenticated to the server. So this would have been like a world ending, potentially kind of an attack, right?

It would have been probably the worst attack we've ever seen. I'm not exaggerating. It could have been that bad. But we were lucky. Through a total accident, this backdoor dependency had made it into the beta builds of some popular Linux distros. And a developer who was testing out the beta versions of these Linux distros noticed some weird behavior.

It would have been probably the worst attack we've ever seen. I'm not exaggerating. It could have been that bad. But we were lucky. Through a total accident, this backdoor dependency had made it into the beta builds of some popular Linux distros. And a developer who was testing out the beta versions of these Linux distros noticed some weird behavior.

He noticed that his SSH connection was taking half a second too long. And so he he pulled the thread and traced it back to this this backdoor dependency. And we were we were all saved because of this total accident. It's mind blowing to me in a couple for a couple of reasons.

He noticed that his SSH connection was taking half a second too long. And so he he pulled the thread and traced it back to this this backdoor dependency. And we were we were all saved because of this total accident. It's mind blowing to me in a couple for a couple of reasons.

Like one, obviously, like, wow, there's there's there's literally states out there, countries that are that are trying to target open source now. Clearly, there's like a team behind this. They probably didn't just work on this one dependency. They were probably working on getting access to many other ones in parallel.

Like one, obviously, like, wow, there's there's there's literally states out there, countries that are that are trying to target open source now. Clearly, there's like a team behind this. They probably didn't just work on this one dependency. They were probably working on getting access to many other ones in parallel.

If you just look at the time between the emails they sent to the maintainer, they were about a month between some of these emails. So they were probably working on other maintainers and trying to get access during that time. So that's really scary. I also think it's pretty scary to see kind of the fact that it took an accident to find the attack.

If you just look at the time between the emails they sent to the maintainer, they were about a month between some of these emails. So they were probably working on other maintainers and trying to get access during that time. So that's really scary. I also think it's pretty scary to see kind of the fact that it took an accident to find the attack.

It makes me think like how many have we not caught as a community? How many have we missed if this one was caught by a total accident? It was eye-opening to a lot of people and it made people realize that there really is a threat in the open source ecosystem. And it's not because most people are bad, it's the opposite.

It makes me think like how many have we not caught as a community? How many have we missed if this one was caught by a total accident? It was eye-opening to a lot of people and it made people realize that there really is a threat in the open source ecosystem. And it's not because most people are bad, it's the opposite.

Most people are good, but there are few bad actors out there taking advantage of the trust in the system. That's really where we come in. We're trying to give every company the tools to protect themselves from those types of attacks. And that's what we do at Socket.

Most people are good, but there are few bad actors out there taking advantage of the trust in the system. That's really where we come in. We're trying to give every company the tools to protect themselves from those types of attacks. And that's what we do at Socket.