Enterprise Linux Security Episode 16 – Library Poisoning

Play

We’ve discussed supply-chain attacks in the past, and now it’s time to see an actual example that happened recently. However, this particular incident is especially unique as the libraries in question were allegedly poisoned by the actual developer. In this episode, Joao and Jay discuss the recent sabotage regarding two very popular NPM libraries.

Episode 4 – Supply Chain Attacks

Play

When you write software, there’s no reason to reinvent the wheel – shared libraries and other resources exist to enable you to create applications while avoiding redundant work. Unfortunately, sometimes the software supply itself chain is attacked, which would mean that your application contain malware or security threats you didn’t account for. In this episode of Enterprise Linux Security, Joao and I discuss supply chain attacks, as well as some ways to mitigate this threat.

Video-specific Links

Supply chain Levels for Software Artifacts (SLSA)

The Software Package Data Exchange (SPDX)