Yesterday, an interesting happened within the Eclipse Foundation community where someone sent a malicious code review…
Sometimes I wished the Internet just went away. First malicious Gerrit contribution https://t.co/f6uJpb5CnQ
— Denis Roy (@droy_eclipse) December 10, 2014
We generally don’t see this type of thing in open source communities (mostly just contributions without tests), but I believe malicious contributions will continue and become more frequent. The opportunity is just there for bad actors and open source code is embedded all over the place, from your desktop, to your mobile devices to vehicles.
Looking back, there’s been some notable opportunities for bad actors to inject malicious code. One example I recall in particular is RubyGems and SSL and another more prominent example was when the Kernel.org servers were hacked:
— Ars Technica (@arstechnica) September 24, 2013
Good times, stay diligent.