Security researchers have discovered a new technique to inject malware into source code while remaining invisible to human reviewers.
The Cambridge University researchers who shared the "Trojan Source" method say the attack "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers."
This tactic manipulates the encoding of source code files so compilers and human viewers see different logic, as discovered by Nicholas Boucher and Ross Anderson, the latter explained in a blog post.
The team made responsible disclosure to all companies and organizations whose products they found to have vulnerabilities.
Read more details here.