It’s Friday afternoon, and a new version for one of your critical dependencies is available for your software project. You KNOW your firm’s security team will be all over you next week to upgrade, and newer is always better anyway, right? You think nothing of running the build one more time to get the latest version, have a relaxing weekend, and show up to the office on Monday… to find a dumpster fire! What happened?! Unbeknownst to you, the package you upgraded on Friday was poisoned, impacting systems throughout your entire firm.
This story might sound like fiction, but reality is stranger than fiction. We will discuss how this happens by examining two examples of poisoned projects and their impacts. Additionally, we will share three ways to protect yourself and your organization when using open-source components in your projects.