Backdoors in FOSS Tools

Hello, everyone. I have been trying to look for some research on the Impact of Backdoors on FOSS Tools. It would be great if someone could guide me or provide some related links. Thanks in advance!

Impact is a fairly broad term. FWIW I’ll leave a couple of references:

  1. Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks provides a fairly good summary seen across recent JS, Python and Ruby ecosystems. The paper notes:

    Decan, Mens, and Constantinou [13] leveraged security reports in order to examine how and when vulnerabilities in npm software packages are discovered and fixed. In order to assess the effect on other packages hosted on npm, a dependency graph was used. The key findings are that nearly half of the packages inherited vulnerabilities from other packages, and that version pinning to vulnerable and outdated packages are the main cause for such inherited vulnerabilities, even if fixes are available.

  2. Cryptsy, a crypto wallet, lost around 13,000 Bitcoin and 300,000 Litecoin, amounting to roughly $5.7 million. They attributed this to the developer of Lucky7Coin (LK7), who placed an IRC backdoor into the code of wallet.

1 Like