Supply chain attack sends shockwaves through open-source community | CyberScoop<\/title> <meta name=\"description\" content=\"An operation to undermine the software utility XZ Utils has exposed the fragile human foundations on which the modern internet is built.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Supply chain attack sends shockwaves through open-source community\"> <meta property=\"og:description\" content=\"An operation to undermine the software utility XZ Utils has exposed the fragile human foundations on which the modern internet is built.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-05T21:48:49+00:00\"> <meta property=\"article:modified_time\" content=\"2024-04-05T21:51:05+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1277\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712084567g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1710965597g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1711866546g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80015\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80015\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fxz-utils-open-source%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fxz-utils-open-source%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80015 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.634897360704\">\n<div class=\"single-article__header-content\" readability=\"29.780487804878\">\n<p> An operation to undermine the software utility XZ Utils has exposed the fragile human foundations on which the modern internet is built. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=1024,681 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=507,337 507w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=1015,675 1015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-2.jpg?resize=1267,843 1267w\" sizes=\"(max-width: 1015px) 100vw, 1015px\"><figcaption> A man in blue clothing holds a mask behind his bask in this photo illustration. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"98.783269961977\"><body readability=\"198.54457050243\"><\/p>\n<p>Developers and security experts all over the world have been sent reeling over the past week by a narrowly avoided catastrophe in a software utility used in popular versions of the open-source operating system Linux. <\/p>\n<p>A week ago, a Microsoft developer was debugging a discrepancy in a networking protocol when he appears to have stumbled onto one of the most sophisticated supply chain attacks ever discovered. <\/p>\n<p>Beginning in February, a shadowy developer known as Jia Tan began to stealthily insert a backdoor into a piece of software known as XZ Utils, which is a compression utility present on most if not all versions of Linux \u2014 a piece of software the provides one of the basic building blocks of the internet as we know it. <\/p>\n<p>Had XZ Utils been inserted into stable \u2014 as opposed to experimental \u2014 versions of Linux, Jia Tan and his (potential) collaborators would, in theory, have been able to break into Linux servers using the utility and run arbitrary code. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The particulars of this incident are even more alarming. Jia Tan was able to get himself designated as a maintainer on XZ Utils by taking advantage of the exhausted lone developer that had been maintaining the project. <\/p>\n<p>The near catastrophe has all the hallmarks of a highly patient espionage operation carried out by a sophisticated intelligence agency, but exactly who is behind it remains a mystery. <\/p>\n<p>XZ Utils had been kept up to date by a single maintainer working for free in his spare time. It is used throughout the world, from small projects to Fortune 500 companies, making the utility a prime target.<\/p>\n<p>\u201cIt\u2019s not a technology problem; it\u2019s a people problem. And that\u2019s what makes it worse,\u201d said Omkhar Arasaratnam, general manager at the Open Source Security Foundation, a part of the Linux Foundation. \u201cThis kind of erosion of trust wasn\u2019t because the computer was broken. It\u2019s because somebody tricked a human.\u201d<\/p>\n<p>The vulnerability \u2014 CVE-2024-3094 \u2014 could have impacted a significant portion of the world\u2019s servers, but even if the supply chain attack was ultimately unsuccessful, the brazen nature and close call of this incident has served as an alarm to the security community. There was no security protocol or technology that discovered and stopped this attack.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe good news is that we found it early,\u201d Arasaratnam said.<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency sent an <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/03\/29\/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094\">alert warning<\/a> about the package and <a href=\"https:\/\/www.redhat.com\/en\/blog\/urgent-security-alert-fedora-41-and-rawhide-users\">pointed to a warning<\/a> from Red Hat, an enterprise open-source software company, about the backdoor.<\/p>\n<p>The incident appears to have its origins in October 2021, when an individual calling themselves \u201cJia Tan\u201d <a href=\"https:\/\/www.mail-archive.com\/xz-devel@tukaani.org\/msg00512.html\">sent what was to become the first<\/a> of many \u201cfixes\u201d to the mailing list for the data compression library.<\/p>\n<p>A few months later in March, two more personas enter the scene using the monikers \u201cJigar Kumar\u201d and \u201cDennis Ens.\u201d They begin a pressure campaign targeting the project\u2019s maintainer, Lasse Collin, criticizing him for his lack of updates with the apparent goal of getting Jia Tan on board as a new maintainer, <a href=\"https:\/\/research.swtch.com\/xz-timeline\">according to a timeline<\/a> put together by Russ Cox, a programmer at Google.<\/p>\n<p>At one point, <a href=\"https:\/\/www.mail-archive.com\/xz-devel@tukaani.org\/msg00570.html\">Jigar asks<\/a>, \u201cJia I see you have recent commits. Why can\u2019t you commit this yourself?\u201d A \u201ccommit\u201d is a term for adding code to a project that is only available for those who have specific access to that repository, and Jigar\u2019s message appears aimed at convincing Collin to give Jia greater authority over XZ Utils as a maintainer.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>At the time, Collin was suffering from personal and mental health issues. He eventually acquiesced and made Jia Tan a maintainer on the project nearly a year after Tan sent the first fix. <\/p>\n<p>Having acquired the authority he sought, Jia Tan then slowly began adding malicious code, bit by bit, until the backdoor was added to a XZ version. <\/p>\n<p>Then, Tan began to pressure different <a href=\"https:\/\/news.ycombinator.com\/item?id=39866275\">Linux distributions<\/a> to add the malicious version to their operating systems.<\/p>\n<p>The backdoor only works for a few Linux distributions, such as Debian and Fedora, but they are among the largest and most widely used. There are also <a href=\"https:\/\/doublepulsar.com\/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd\">signs<\/a> that Tan rushed the supply chain attack in the final months, as another program was set to implement a change that would have rendered the attack useless, according to the researcher Kevin Beaumont.<\/p>\n<p>Jia Tan would have gotten away with it, too, if it wasn\u2019t for a curious software engineer named Andres Freund. Freund, who works at Microsoft, stumbled upon the backdoor while trying to debug performance issues on SSH, a network protocol that is a secure way to communicate between computers and is often used to login to a remote desktop or server. The discovery itself was almost pure luck. Freund <a href=\"https:\/\/mastodon.social\/@AndresFreundTec\/112180406142695845\">said<\/a> uncovering the backdoor required \u201ca lot of coincidences.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Freund then <a href=\"https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4\">alerted<\/a> the open-source community about what he found, setting off a frenzy of official alerts, investigations, the creation of free scanning tools, and dozens of blog posts about a historic caper that could have been disastrous. <\/p>\n<p>The reaction best illustrates the power of open-source projects: Within a few days, analysts graphed GitHub commits to timelines, malware researchers took apart the code, IRC chats were logged and researchers picked apart what had happened.<\/p>\n<p>For defenders of <a href=\"https:\/\/cyberscoop.com\/white-house-securing-open-source-software\/\">open source<\/a>, the incident is something of a vindication of the community\u2019s premise: that openly available code can be scrutinized to find vulnerabilities. <\/p>\n<p>But that assumes that all of Jia Tan\u2019s malicious code has been discovered.<\/p>\n<p>Jia Tan appears to have contributed to other open-source projects, such as the widely used compression library libarchive, and now the hunt is on for whether his contributions to these tools sought to undermine them. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>According to the cybersecurity firm NetRise, contributions from Tan in libarchive found their way into at least 180 instances of the firmware of operational technology, Internet of Things devices and network devices. And while it\u2019s not clear whether there is any malicious code \u2014 particularly as the contributions may have been a part of building the persona \u2014 the risk remains.<\/p>\n<p>The complicated nature of the case, the years spent working on the utility, the complex code and multiple personas apparently working together have led many security experts to conclude that the operation targeting XZ Utils <a href=\"https:\/\/jfrog.com\/blog\/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know\/#who-is-affected-by-cve-2024-3094\">was carried out by a nation state<\/a>. <\/p>\n<p>Whoever Jia Tan and his apparent compatriots Dennis and Jigar worked for, they appeared to have good operational security, as none of their emails have been seen elsewhere on the internet, including in data leaks, according to <a href=\"https:\/\/infosec.exchange\/@briankrebs\/112197305365490518\">journalist<\/a> Brian Krebs.<\/p>\n<p>A timeline of Tan\u2019s commits to GitHub show what appears to be someone based in China, as does his name. However, <a href=\"https:\/\/rheaeve.substack.com\/p\/xz-backdoor-times-damned-times-and\">analysis by researchers<\/a> Rhea Karty and Simon Henniger suggest that this might be a misdirection. Based on inconsistencies in the timezone in the commits metadata and a few times when they worked during Chinese national holidays, they hypothesize that Tan is actually based somewhere in Eastern Europe.<\/p>\n<p>Security concerns around open-source software often are centered around unintentional mistakes in code that can introduce a vulnerability in a widely used software. And while concerns of a malicious hacker abusing open-source packages to open a pathway for future attacks are not new, many of the publicly known cases are financially motivated, such as cryptocurrency miners that rely on an unknowing user installing a malicious open-source package.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In December, the python package distributor PyPI <a href=\"https:\/\/status.python.org\/incidents\/0mld3fml68nd\">temporarily shut off<\/a> new registration due to the \u201cvolume of malicious users and malicious projects.\u201d<\/p>\n<p>In many open-source projects, there is a certain amount of trust in the maintainer, explained Arasaratnam. The modern economy depends on and largely exists because of a cadre of volunteers who work, often for free as a side project or hobby, on programs that underpin nearly all aspects of digital life. Maintainers are often the first and last line of defense in quality of code, feature requests and, ultimately, risks.<\/p>\n<p>There likely is not going to be a \u201csilver bullet\u201d that can protect against nation-state operations like the XZ case, Arasaratnam said.<\/p>\n<p>\u201cThe problem is this notion of trust,\u201d Arasaratnam said. \u201cA trusted maintainer is going to find a different way to manipulate that trust if they\u2019re a bad actor in the system. That\u2019s the part where I think the community doesn\u2019t have consensus yet as to how to address that. And it\u2019s going to be a long journey for us.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.6633663366337\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/supply-chain-attack-sends-shockwaves-through-open-source-community-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Supply chain attack sends shockwaves through open-source community | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[281,1073,1813,649,288],"tags":[285,1076,1814,652,294],"class_list":["post-2960","post","type-post","status-publish","format-standard","hentry","category-hacking","category-open-source","category-supply-chain","category-supply-chain-security","category-threats","tag-hacking","tag-open-source","tag-supply-chain","tag-supply-chain-security","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-security\/\" rel=\"category tag\">supply chain security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2960"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2960\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2960,"date":"2024-04-05T16:48:49","date_gmt":"2024-04-05T21:48:49","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80015"},"modified":"2024-04-05T16:48:49","modified_gmt":"2024-04-05T21:48:49","slug":"supply-chain-attack-sends-shockwaves-through-open-source-community","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/05\/supply-chain-attack-sends-shockwaves-through-open-source-community\/","title":{"rendered":"Supply chain attack sends shockwaves through open-source community"},"content":{"rendered":"