The title says it all.
Saw this awesome article on Bleeping Computer about a supply chain attack.
A supply chain attack as defined by Microsoft is:
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
Microsoft
I don’t know if I’d call them “emerging” as they’ve been around for quite a bit. Anyway, the Bleep Computer article discussed how Palto Alto Networks Unit42 discovered a cloud video hosting service that was used among over a hundred real estate sites was compromised. Malicious Javascript was introduced thus leading to people who visited the site and purchased something to having their credit info skimmed.
I find these type of attacks to be so interesting. A great technical breakdown is available in the Bleeping Computer Article, I won’t walk you through it. However I highly suggest reading it!! Note the preview image of this post is actually the obfuscated code as seen in the wild!
Guessing using an SRI-hash on a cross-domain script inclusion would’ve solved this issue! Another reminder to always check scripts you use on your applications even though that’s a tough thing to do!
Check out the article HERE