A new report reveals that state-sponsored actors are actively and methodically attempting to weaponize open-source software (OSS), posing a significant threat to global digital infrastructure. The research, conducted by strategic intelligence firm Strider Technologies, details how individuals with direct affiliations to countries like China and Russia are subtly contributing malicious code to publicly available software, which is then used by millions of organizations and developers worldwide.
The report, “Lying in Wait: Understanding the Contributors Behind Open Source Code,” found that foreign adversaries are exploiting the collaborative and open nature of OSS ecosystems. By building credibility over time and contributing seemingly innocuous code, these actors can introduce sophisticated backdoors and exploits. The goal is to embed these threats deep within the software supply chain, allowing for future espionage, data theft, or disruptive cyberattacks on a massive scale.
One notable example cited in the report is the attempted backdoor in XZ Utils, a file transfer tool used in various Linux builds. While the malicious code was discovered before it could be widely exploited, it highlighted the sophisticated and long-term nature of these campaigns.
Strider’s analysis identified contributors to popular OSS repositories who have ties to sanctioned entities and state-affiliated organizations. For instance, in one code base for an AI model, the report found that more than 20% of contributors had connections considered to be national security risks. The report specifically called out individuals with past employment at Russian companies sanctioned by the U.S. for their role in cyberattacks and Chinese firms known for collaborating with state-affiliated defense conglomerates.
The findings underscore a critical vulnerability in the global digital landscape. As Strider’s CEO, Greg Levesque, noted, “Open source software platforms are the backbone of today’s digital infrastructure, yet in many cases it’s unclear even who is submitting the code. In turn, nation-states like China and Russia are exploiting this visibility gap.”
The report serves as a stark warning to both the private and public sectors, emphasizing the need for greater transparency and security measures within the OSS ecosystem. It highlights a new era of geopolitical risk where the very software that powers modern technology can become a vector for state-sponsored cyber warfare.
