@tinker I've been thinking about how much time and effort went into selecting XZ as a target. It probably wouldn't be that hard to create a tool which searched the most commonly used open source projects and sorted them by the number of active maintainers.
@nerdpr0f - Take that idea and flip it! Use it to see what are the first projects that need to be reviewed from a Threat Hunting perspective!
Seriously! Its a great approach you've created!
Specifically identify projects that would be High Value Targets to a malicious actor and then go through the code with the ASSUMPTION THAT THEY HAVE ALREADY BEEN COMPROMISED.
See how many other backdoors and vulns we can find.
#infosec #FOSS #backdoor #xz #xzBackdoor