Author’s voice: The OpenSSH backdoor incident serves as a stark reminder of the risks involved in open source development and supply chain attacks. The attackers targeted the build system, making the attack hard to detect. The xz-utils backdoor, a recent case, was designed with precision and optionality, offering flexibility to attackers. The historical 2002 attack was more about mayhem and fun, lacking the execution seen in the modern attack. That attack targeted the infrastructure, similar to what could still happen today. The possibility of supply chain attacks evolving in the future requires a shift towards attack surface reduction and compartmentalization. It’s time for radical changes in how we approach operating system design and application development.
https://blog.isosceles.com/openssh-backdoors/