OSS Under Attack: Four Lessons in How Trust Gets Exploited

People love free stuff! - Me August 2025

That applies to software as well, and thanks to countless open-source contributors, there’s no shortage of it. A 2024 study by Harvard Business School estimates the value of the Open-Source Software (OSS) ecosystem at over $8.8 trillion [1].

Another study from 2024 by Synopsys [2] shows that 96% of modern applications rely on OSS components, which make up approximately 77% of their codebase. Nobody wants to reinvent the wheel, and with thousands of readily available packages, libraries, and frameworks, developers can focus on building innovative features rather than basic functionality.

However, this convenience comes with a hidden cost: supply chain security risks. When malicious actors target these widely-used dependencies, the impact can be devastating and global in scope.

The Global Scale of Supply Chain Attacks

Supply chain attacks have evolved from theoretical concerns to concrete, high-impact threats that affect millions of users and thousands of organizations simultaneously.

These attacks are particularly insidious because they exploit the trust relationship between developers and the open-source ecosystem. When developers install a package from a trusted repository like npm, PyPI, or GitHub, they assume it's safe.

As any cinema student would tell you: "Show, don’t tell!" So, let's dive into four examples of supply chain attacks that massively affected the ecosystem.

The Solana Web3.js Nightmare

In December 2024, the cryptocurrency world was shaken by a sophisticated supply chain attack targeting the @solana/web3.js npm package. This library, with over 450,000 weekly downloads, is a critical component for developers building applications on the Solana blockchain.

The Attack: The attack occurred on December 2, 2024, when two malicious versions were published to the npm registry. The attackers gained access by compromising the library's maintainers, likely through phishing techniques.

The Impact: The malicious code was designed to exfiltrate sensitive data from cryptocurrency wallets, potentially exposing private keys and other critical information. While the malicious versions were available for less than five hours, the potential for widespread damage was enormous given the library's popularity in the Web3 ecosystem.

The Response: Both malicious versions were quickly removed from the repository, and a clean version was released. However, any application that had automatically updated to the compromised versions during that five-hour window was potentially affected.

GitHub Actions Under Fire - The tj-actions Breach

In March 2025, the DevOps community faced a significant security incident when the tj-actions/changed-files GitHub Action was compromised. This popular automation tool is used by over 23,000 repositories to detect file changes in CI/CD pipelines.

The Attack: The compromise occurred sometime before March 14, 2025, with attackers injecting malicious payload that caused affected public repositories to leak their secrets in logs. The attack was enabled through orphaned commits and manipulated release tags, demonstrating sophisticated knowledge of Git repository management.

The Impact: This vulnerability affected over 23,000 repositories, the malicious code exposed encrypted secrets in plaintext within GitHub Action logs, potentially giving attackers access to API keys, database credentials, and other sensitive information used in CI/CD pipelines.

Amazon Q - When AI Tools Become Attack Vectors

In July 2024, a significant breach was detected in Amazon Q's extension for VS Code, a developer tool that has been installed over 950,000 times. Hundreds of thousands of developers potentially had access to a compromised AI assistant that could execute destructive commands like... erase everything on your machine.

The Attack: A hacker managed to insert destructive system commands into Amazon's Visual Studio Code extension used for accessing its AI-powered coding assistant, Q, which was later distributed to users through an official update. The attacker gained access by submitting a pull request in late June using an unverified GitHub account and was allegedly granted administrative access to the repository (wtf!).
Hopefully, the code was defective and failed to run. The hacker stated their goal was to “expose their ‘AI’ security theater” and plant “a wiper designed to be defective as a warning to see if they’d publicly own up to their bad security."

The Payload: The unauthorized code instructed the AI agent to behave like a system cleaner with access to the file system and cloud tools, aiming to erase user data and cloud resources. On July 13, the malicious code was inserted into the repository, and Amazon unknowingly released the compromised version on July 17.

The Response: Amazon quickly mitigated the issue and released a clean version, but the incident highlighted critical gaps in AI tool security governance.

XZ Utils - The Most Sophisticated Attack Yet

The XZ Utils backdoor (CVE-2024-3094) represents perhaps the most sophisticated and concerning supply chain attack discovered to date. This attack achieved a perfect CVSS score of 10 (the maximum) and demonstrates how patient, determined attackers can compromise fundamental system components.

The Attack: The attack wasn't a quick hit-and-run operation but rather a years-long campaign where the malicious code was introduced by a previously trusted developer who had gained maintainer status through legitimate contributions.

The Technical Impact: The malicious code attempts to weaken the authentication of SSH sessions via SSHD. This allows specific remote attackers, possessing a particular private key, to transmit arbitrary payloads through SSH, effectively granting complete control over victim machines.

The Distribution: Multiple Linux distributions including Fedora, Debian, openSUSE, and Kali Linux were impacted, with many major distributions inadvertently distributing compromised versions. The backdoor was present in XZ Utils versions 5.6.0 and 5.6.1, which were widely distributed before the compromise was discovered.

The Discovery: The malware was discovered by a Microsoft developer who noticed their SSH connections were slowing down over time. This accidental discovery prevented what could have been a catastrophic compromise of Linux infrastructure worldwide.

The Response: CISA recommended that developers and users downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable, but the damage assessment continues as organizations work to understand the full scope of potential exposure.

Foreword

Hope you enjoyed those stories. I found them really interesting, as they highlight our strong dependence on widely distributed open-source components and how people try to exploit this ecosystem.

In the future, I’m planning to release another article on how to re-establish trust in the open-source ecosystem and mitigate these attacks, so stay tuned!