Did some malware reversing for the community this week in response to someone attempting to SE a malicious plugin into @pidgin a major open-source project. The project maintainer ( @grimmy) was very quick to respond, pulling security folks in immediately
Additionally, this led to the furtherance of their transparency policy, requiring all code for all plugins to be open-sourced for community review.
Supply Chain Attacks come from all angles, including code you don't compile or distribute, but users may still install and taint the reputation of your application.
(longer blog post inbound)
@j0hnnyxm4s @pidgin @grimmy The plugin, ss-otr, was aptly named. This acronym refers to "Social Security On The Record" decisions by courts in a totally different context.
