Firas Aboukhadijeh
Appearances
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
Yeah, so I think the XZutils backdoor was really eye-opening to a lot of developers. It showed the vulnerability of the open source ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years, who was targeted by nation-state actors, who created, like literally, it's like a spy movie, right?
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
They had multiple personas, fake personas, that were contacting this poor maintainer. And, you know, working on him psychologically to convince him over the course of two years to add them to the repository and give them publish permissions. And they did this through a bunch of kind of negative messages, but also by being helpful and by sending good positive pull requests.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
It's really like, I really think it's out of a spy movie, just kind of the level of effort that they put into this. And what they were able to do is get access to this package. This is built into pretty much every Linux server out there.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
And what this would have let them do is it would have let them SSH into any server and run any command on the server without knowing the password, without being authenticated to the server. So this would have been like a world ending, potentially kind of an attack, right? It would have been probably the worst attack we've ever seen. I'm not exaggerating.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
It could have been that bad, but we were lucky through a total accident. This backdoor dependency had made it into the beta builds of some popular Linux distros, but it hadn't made it all the way out to the stable version yet. And a developer who was testing out the beta versions of these Linux distros noticed some weird behavior.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
He noticed that his SSH connection was taking half a second too long. And so he pulled the thread and traced it back to this backdoor dependency. And we were all saved because of this total accident. It's mind-blowing to me for a couple reasons. One, obviously, wow, there's literally states out there, countries that are trying to target open source now. Clearly, there's a team behind this.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
They probably didn't just work on this one dependency. They were probably working on getting access to many other ones in parallel. If you just look at the time between the emails they sent to the maintainer, they were about a month between some of these emails. So they were probably working on other maintainer's and trying to get access during that time. So that's really scary.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
I also think it's pretty scary to see kind of the fact that it took an accident to find the attack. It makes me think, like, how many have we not caught as a community? How many have we missed if this one was caught by a total accident? It was eye opening to a lot of people and it made people realize that there really is a threat in the open source ecosystem.
The Changelog: Software Development, Open Source
Leveling up JavaScript with Deno 2 (Interview)
And it's not because most people are bad. It's the opposite. Most people are good, but there are few bad actors out there taking advantage of the trust in the system. That's really where we come in. We're trying to give every company the tools to protect themselves from those types of attacks. And that's what we do at Socket.