Massive Supply Chain Attack: Malware Delivered via Abandoned Amazon S3 Buckets
2025-02-12
Researchers registered roughly 150 abandoned Amazon S3 buckets for around $400, finding they contained software libraries still in use. These buckets received eight million requests in two months, highlighting a massive vulnerability. An attacker could easily inject malware into these libraries, spreading it widely through software updates – a SolarWinds-style attack on a much larger scale. The abandonment of these buckets leaves developers unable to automatically patch vulnerabilities, giving attackers control over updates and hindering vendor identification of affected software. This underscores the critical flaws in software supply chain security; fixing it will be both difficult and expensive.