Question: What kind of data can an attacker steal after compromising a developer?

Louis Lang, security researcher, CTO of Phylum: We have spent a long time convincing people they shouldn’t open email attachments from unknown senders. We have spent considerably less time convincing the wider developer community that installing packages from unknown sources is a terrible idea.

While phishing campaigns remain effective, they often land the attacker in some unrelated part of the organization and still require a pivot to the final target. Supply chain attacks cut to the heart of the organization, compromising the developer and their privileged accesses. In some cases, like typosquatting and dependency confusion, these attacks are carried out without direct communication between the attacker and the developer. There is no email attachment to open since the developer willingly pulls in the code (which contains the malware).

So what can an attacker steal if they compromise a developer? Depending on the developer's position, nearly everything. Assuming a compromise has occurred, in the absolute best case, the attacker may have gained access to a junior engineer's machine. We’d expect this engineer to, at the very least, have commit access to source code. If the organization has poor software engineering practices (e.g., no code reviews and no limits on who can commit to the main branch), the attacker has free reign to modify the organization's source code at will; to modify and infect the product that you ship to customers.

In the worst and equally likely case, the attacker will gain access to a senior developer with more privileges. This developer will have access to source code, SSH keys, secrets, credentials, CI/CD pipelines, and production infrastructure and likely the ability to bypass certain code checks. This scenario, where this kind of an engineer is compromised, would be devastating for an organization.

This is not hypothetical, either. Malware packages are routinely being published into open-source ecosystems. Nearly all of this malware is tailor-made to exfiltrate credentials and other files deemed sensitive or important. In more recent campaigns, attackers have even attempted to drop ransomware directly onto developer machines as a way to extort cryptocurrency from the organization.

Software developers sit in a privileged position in any technical organization. With their upstream access to the products shipped to customers and access to production systems and infrastructure, they are the lynchpin in any modern organization. A failure to defend the developer is a failure of the security organization as a whole and could lead to catastrophic consequences.