A malicious backdoor has been found in the popular open source software library bootstrap-sass. This was done by someone who created an unauthorized updated version of the software on the RubyGems software hosting site. The good news is that it was quickly detected (within the day) and updated, and that limited the impact of this subversion. The backdoored version (184.108.40.206) was only downloaded 1,477 times. For comparison, as of April 2019 the previous version in that branch (220.127.116.11) was downloaded 1.2 million times, and the following version 18.104.22.168 (which duplicated 22.214.171.124) was downloaded 1,700 times (that’s more than the subverted version!). So it is likely that almost all subverted systems have already been fixed.
That said, there's clearly room to improve. I believe that every time a bad thing happens we should try to find out how it happened, and then see if there are reasonable steps that can be taken to reduce the risk. This paper is part of my essay suite Learning from Disaster, which applies this approach to various past problems.
With that in mind, here are a few thoughts on how to reduce the risk of a similar problem in the future:
No doubt there are many more ways to reduce risks like this. This is, fundamentally, a software supply chain attack. But since most software is reused, not custom-written, software supply chain attacks are a real risk and they need to be addressed.
If you enjoyed this paper, you might also enjoy the entire suite of related papers in my essay suite Learning from Disaster. Feel free to see my home page at https://dwheeler.com. You may also want to look at my paper Why OSS/FS? Look at the Numbers! and my book on how to develop secure programs.
(C) Copyright 2019 David A. Wheeler. Released under Creative Commons Attribution-ShareAlike version 3.0 or later (CC-BY-SA-3.0+).