A so-called software supply chain attack, in which hackers corrupt a legitimate piece of software to hide their own malicious code, was once a relatively rare event but one that haunted the cybersecurity world with its insidious threat of turning any innocent application into a dangerous foothold in a victim’s network. Now one group of cybercriminals has turned that occasional nightmare into a near-weekly episode, corrupting hundreds of open source tools, extorting victims for profit, and sowing a new level of distrust in an entire ecosystem used to create the world’s software.
On Tuesday night, open source code platform GitHub announced that it had been breached by hackers in one such software supply chain attack: A GitHub developer had installed a “poisoned” extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. As a result, the hackers behind the breach, an increasingly notorious group called TeamPCP, claim to have accessed around 4,000 of GitHub’s code repositories. GitHub’s statement confirmed that it had found at least 3,800 compromised repositories while noting that, based on its findings so far, they all contained GitHub’s own code, not that of customers.
“We are here today to advertise GitHub’s source code and internal orgs for sale,” TeamPCP wrote on BreachForums, a forum and marketplace for cybercriminals. “Everything for the main platform is there and I very am happy to send samples to interested buyers to verify absolute authenticity.”Read full article
Comments
当人工智能(AI)浪潮席卷全球各行各业时,教育界与科技产业正在寻找交汇的契机。近日,一场旨在打破行业壁垒、重塑未来人才培养模式的闭门峰会悄然拉开帷幕。科技巨头谷歌(Google)联合纽约就业首席执行官委员会(New York Jobs CEO Council)以及城市联合会(Urban Assembly),共同举办了一场备受瞩目的AI峰会。此次会议汇集了150位来自教育界和产业界的领军人物,标志着双方在应对AI时代人才挑战上,迈出了从各自为战走向协同共建的关键一步。