Trojan Source - Malware hiding in plain sight in OSS

This is a fascinating article on a hack that has been possible in open source repositories for a long time, but may only be recently exploited. The page includes a link to their academic paper.

The gist is that bad actors could slip malware into code-reviewed source by using text character tricks to hide function calls to unsafe functions, or even change program logic to bypass admin checks. The paper gives examples in C, C++, C#, JavaScript, Java, Rust, Go, and Python.

One example shows C code like this:

#include <stdio.h>
#include <stdbool.h>

int main() {
bool isAdmin = false;
/* begin admins only */ if (isAdmin) {
    printf("You are an admin.\n");
/* end admins only */ }

return 0;

Which looks pretty ironclad that it is not going to act as admin. Yet the provided sample code does print “You are an admin.”

The technique is to put the “if (isAdmin)” check inside the preceding comment, but surround it with non-printing characters that make it look like it is after the comment - essentially exposing the privileged admin-only code.

I think it would be huge for Tidelift to offer to its customers that the source code for Tidelift maintainers is scanned for the types of exploits listed in this paper. Or at least for Tidelift maintainers to include such a scanner as part of their own CI process.

– Paul