close
close

Upstream attacks likely due to new vulnerability in Trojan source

SC Media reports that by exploiting the new “Trojan Source” vulnerability, which allows for the stealthy injection of malicious source code, companies could be exposed to upstream attacks similar to the SolarWinds supply chain breach nearly four years ago.

Threat actors could exploit the flaw to enable manipulation of bidirectional Unicode algorithms with hidden instructions. When executed, either “premature return” breaks or code output as a comment are possible, which can then be used to inject vulnerabilities, according to a study by researchers Nicholas Boucher and Ross Anderson of the University of Cambridge.

Boucher and Anderson added that infections caused by attacks on code-sharing sites could also spread to other apps and services.

Although GitHub, BitBucket, Emacs, Rust and Visual Studio Code have already implemented measures to prevent potential vulnerabilities caused by bidi manipulation, developers are strongly encouraged to be alert to parts of their source code that may have been copied from shared repositories.