SC Media reports that organizations could be subjected to upstream attacks similar to the SolarWinds supply chain intrusion nearly four years ago through the exploitation of the new "Trojan Source" vulnerability, which enables stealthy malicious source code injections.
Threat actors could leverage the flaw to facilitate Unicode bidirectional algorithm manipulation with concealed instructions, which when executed allows either "early return" intrusions or the passing off of code as comments that would then enable vulnerability injections, according to a study from Cambridge University researchers Nicholas Boucher and Ross Anderson.
Infections could also spread to other apps and services through code-sharing site targeting, added Boucher and Anderson.
While GitHub, BitBucket, Emacs, Rust, and Visual Studio Code have already implemented measures to avert potential compromise via Bidi manipulation, developers have been urged to remain vigilant of portions of their source codes that could have been copied from shared repositories.
