Delivering Malware Through Abandoned Amazon S3 Buckets
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.
[…]
Had this been an actual attack, they would have modified the code in those buckets to contain malware and watch as it was incorporated in different software builds around the internet. This is basically the SolarWinds attack, but much more extensive.
[…]
But there’s a second dimension to this attack. Because these update buckets are abandoned, the developers who are using them also no longer have the power to patch them automatically to protect them.
Previously:
- NPM Packages Sabotaged
- SolarWinds Breach
- Popular NPM Package Compromised
- How One Developer Broke Node, Babel, and Thousands of Projects
