Attacks on software repositories

Please see in-toto/supply-chain-compromises for a more up-to-date and broader collection of attacks.

• In Nov 2016, WordPress was found to be vulnerable to a repository compromise.
• In Feb 2014, the Cyanogenmod updater is found to be vulnerable against MitM attacks.
• In Oct 2013, the php.net infrastructure was compromised; malware was served through web site and private key of SSL certificate may have been accessed.
• In Oct 2013, Adobe discovered illegal access of customer information as well as source code for numerous products..
• In Jul 2013, Ubuntu Forums was compromised and yielded the usernames, email addresses, and salted and hashed passwords of 1.82 million users.
• In Jun 2013, the Opera infrastructure was attacked and a signing certificate was used to sign malware.
• In Jan 2013, RubyGems.org was hit with a rogue code execution vulnerability.
• In Jan 2013, the Python.org wiki was attacked.
• In Nov 2012, the FreeBSD.org infrastructure was attacked and allowed for the compromise of third-party packages.
• In Sep 2012, a SourceForge.net mirror was caught serving corrupted copies of the phpMyAdmin package.
• In Sep 2012, Adobe revoked a code signing certificate used to sign malicious utilities.
• In Jul 2012, the Debian.org wiki was attacked.
• In Jun 2012, Microsoft announced a man-in-the-middle attack on the Windows Update infrastructure.
• In Mar 2012, GitHub was exploited to allow unauthorized access to repositories.
• In Feb 2012, the Horde project discovered remote execution backdoors introduced in their software after an intrusion.
• In Aug 2011, kernel.org announced that the main kernel.org server was compromised by an unknown intruder.
  • In Sep 2013, there remained open questions about the attack.
• In Jun 2011, intruders committed malicious code to the WordPress.org plugin repository.
• In Mar 2011, the wiki.php.net box was compromised and the attackers were able to collect wiki account credentials.
• In Jan 2011, the Fedora project announced a security intrusion in its infrastructure.
• In Dec 2010, a developer account was compromised to commit code to the PHP project.
• In Nov 2010, savannah.gnu.org announced that user accounts were compromised.
• In Nov 2010, the main ProFTPD.org distribution server was hacked to serve a compromised version of its package.
• In Aug 2010, evilgrade was presented at DEF CON 18 to show how easy it was to automatically exploit the update processes of applications such as Java, Winzip, Winamp, OpenOffice, iTunes, Quicktime, Safari, and more.
• In Jun 2010, the UnrealIRCd project discovered backdoors introduced to their software.
• In Apr 2010, Apache.org announced a security intrusion in its infrastructure.
• In Aug 2009, Apache.org announced a security intrusion in its infrastructure.
• In Oct 2008, Cappos et al. demonstrated attacks on package managers such as APT, APT-RPM, Pacman, Portage, Slaktool, rmpi, YaST, YUM and ports.
• In Aug 2008, the Fedora project and Red Hat reported intrusions of their infrastructure.
• In Mar 2004, GNOME.org reported intrusions of its infrastructure.
• In Dec 2003, Gentoo.org announced that one of its rsync rotation servers was compromised.
• In Dec 2003, savannah.gnu.org suffered a compromise of its infrastructure.
• In Nov 2003, an attempt was made to introduce a backdoor to the Linux kernel.
• In Nov 2003, Debian.org announced that its servers were compromised.