Email or username:

Password:

Forgot your password?
Top-level
Kevin Beaumont

The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears github.com/google/sanitizers/i

2 comments
uoxc

@GossiTheDog wait, are we at "implementing features to get plausible deniability for evading vuln scanning?"

Because if so this feels quite novel. At the very least I can't remember a comparable supply chain attack of this sophistication from the top of my head

Tony Hoyle

@uoxc @GossiTheDog Doesn't need to be that sophisticated..

Either (a) developer continues submitting other work whilst compromising at least one project. or (b) the account is in use by two people - the real developer and a hacker.

So the question becomes compromised account or compromised developer.

In the first case it's not that unbelievable that someone who was up to no good would try to cover their tracks by doing other unrelated things.

Go Up