Conference:  Black Hat Asia 2023

Authors: Yakir Kadkoda, Ilay Goldman

2023-05-12

Our talk divides the cloud development flow into 5 phases: IDE, SCM, package managers, CI/CD and Artifacts. We will demonstrate how supply chain attacks can affect organizations at each phase. This includes the risks of cloud, platforms, and application development, as well as the attacker's perspective on how to exploit these areas.We will unveil vulnerabilities and flaws in popular platforms corresponding to each one of the areas. We will also talk about the eco-system and how developers are working with these platforms. Finally, we will show our original research including vulnerabilities and flaws in various platforms and talk about each finding and its implications and mitigations.

Conference:  SupplyChainSecurityCon 2022

Authors: Daniel Elkabes

2022-06-22

Malicious packages are a growing threat to organizations and communities, costing billions of dollars in damages. Attackers use various techniques to exfiltrate private information and evade detection. The community is exploring solutions such as Salsa and S-BOM to reduce the risk, but categorizing malicious packages is still a challenge.

• Malicious packages are a significant threat, costing billions of dollars in damages
• Attackers use various techniques such as dependency hijacking, typo squatting, and brain jacking to exfiltrate private information and evade detection
• Solutions such as Salsa and S-BOM are being explored to reduce the risk of malicious packages
• Categorizing malicious packages is a challenge for the community