Most people think of hacks as someone gaining access to their computer or their website directly and then adding malicious code or stealing personal information. Many hacks do occur that way.
A scarier hack occurs when the attacker gains access to the source of a program you regularly use. Say for instance they hacked into Microsoft and inserted their malicious code into MS Word. You then download Word to your computer, trusting Microsoft. And when you start up the program the malicious code starts doing its damage.
This scenario is similar to what was discovered in late 2020 to a company named SolarWinds. SolarWinds supplies software to a bunch of important governmental entities in the US. Among the departments affected were U.S. Treasury, the U.S. Department of Homeland Security, and the U.S. Commerce Department. It’s possible that as many as 18,000 SolarWinds customers have been affected. The extent of the damage is still unfolding at the time of this writing.
Another example of a supply chain hack occurred with several WordPress plugins in 2017. The trusted longtime developer of the popular FastSecure Contact Form plugin was approached by another developer with a reasonably lucrative offer to buy the plugin, and the deal was made. Several other plugins by other developers with a smaller installation base were also purchased by the same developer. That’s perfectly reasonable behavior on the part of the seller, and if the buyer was reputable that end would have been fine too. But he wasn’t. What happened next is that the malicious purchaser then released modified versions of those plugins containing spam backdoors, allowing him to use his victim’s sites to send boatloads of spam.
Supply chain hacks are very difficult to control by the end user of the software. We place a lot of trust in our software sources, and though it doesn’t happen often it is always a possibility that what we download has been secretly compromised. The WordPress plugin repository team does an excellent job but with over 58,000 plugins, many being updated on a regular basis, there’s no way that they can check every new release.