Why inject malicious code when you can get developers to willingly download it?

In case you weren’t worried enough about online security, I ran across this column recently that details a plausible exploit to grab logon credentials, credit card info, and more by adding malicious code to an open source javascript library:

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

While this applies to a javascript exploit, the same concept could be used for any other number of open source code/library repositories. In today’s world where nearly every application we develop depends on myriad other libraries, how many of us developers can really say we know all the code that’s running on our websites?

Leave a Reply

Your email address will not be published. Required fields are marked *