From news.hitb.org
![Arstechnica](https://news.hitb.org/sites/default/files/styles/large/public/2022-05/skull-ones-zeros-800x636.jpeg?itok=aT4FwEjG)
A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploits public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.
Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021, when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher, Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.