Josh Bressers on Nostr: While #xz has been a pretty popular topic lately, I just learned of a very similar ...
While #xz has been a pretty popular topic lately, I just learned of a very similar attack that happened against the MinecraftOnline server in 2022/2023
The Gradle folks have a nice writeup
https://blog.gradle.org/wrapper-attack-report
I did some digging, and found the timeline
2022-07 the compromised plugin was built
2022-09 compromised plugin deployed
2023-01-09 compromise detected
I haven't figured out when the attacker joined the project yet, but clearly they had some level of trust and authority
The Gradle folks have a nice writeup
https://blog.gradle.org/wrapper-attack-report
I did some digging, and found the timeline
2022-07 the compromised plugin was built
2022-09 compromised plugin deployed
2023-01-09 compromise detected
I haven't figured out when the attacker joined the project yet, but clearly they had some level of trust and authority