A kernel breach happened on iirc an SVN server in 2013 but was detected almost immediately.
If I were a nation state I wouldn’t try to poison mainline kernel - there would be far easier sources along the stack for both local and remote attacks which would more easily go unnoticed. Tools that come to mind are systemd, openssh, http/ftp services, GNU tools and common non-gnu shell utilities. Failing that, distribution level kernels would be my next bet purely because any commits would be less scrutinised.
The attack surface is so large, I'm surprised we're not dealing with backdoors much more often (not just nation states, but also commercial hacker groups).
Yeah, a tweet said this is the beginning of a decade of those sorts of attacks which I agree with. It’ll start with pip, npm, etc, then move to bigger targets.
For that reason I’ve moved away from those managers and stuff like react (I trust facebook but dependency trees are huge) - the worst part is you can’t not patch, but you might be doomed by any upgrade.
I think eventually it’ll snuff out innovation in medium sized businesses and government - large businesses can afford the cost of manual review and startups will ignore the risk, but middle-tier will be screwed.
I’d love to see a crowdsourced review model, but I just don’t think it can be viable without getting abused.
If I were a nation state I wouldn’t try to poison mainline kernel - there would be far easier sources along the stack for both local and remote attacks which would more easily go unnoticed. Tools that come to mind are systemd, openssh, http/ftp services, GNU tools and common non-gnu shell utilities. Failing that, distribution level kernels would be my next bet purely because any commits would be less scrutinised.