Will a supply chain attack akin to the xz backdoor targeting developer toolchains be discovered before 2025?
➕
Plus
22
Ṁ1439
Jan 1
17%
chance

Market resolves YES if a vulnerability/backdoor is intentionally introduced into an open source project used heavily by developers for the purpose of developing software, or if in my estimation it appears to directly target developer users. The market will resolve 12/31/24, so it must be discovered by then to qualify. Must be a project with at least 1k GitHub stars at the time of discovery.

Examples of projects I would consider part of developer toolchains under most circumstances (not an exhaustive list):

• homebrew (maybe arbitrary, but my assumption is that mostly developers use this)

• Linters/formatters

• LSPs

• Text editors and plugins/etc

• AI code assistants

• Programming environment/version managers (pipenv, rbenv, nvm, etc)

Examples of projects I would not consider in-scope under most circumstances:

• The Linux kernel

• curl

• OpenSSH

• General LLMs

• Most libraries that are simply imported into other software projects

Get
Ṁ1,000
and
S1.00
Sort by:

https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/ stole

access tokens required to publish packages from developer machines. Do I understand correctly that this qualifies, because it specifically targets developers?

Yes, an event like this would count if it was discovered after the creation of this market

How will this resolve if something was added before the xz backdoor was reported, and found now that more people are looking?

Also, what if there's another attack in xz already, targeting developers, like joeyh suggests with gcc here: https://joeyh.name/blog/entry/reflections_on_distrusting_xz/

@i_i Yeah I should have emphasized discovery vs introduction time in the title. Just updated it

bought Ṁ55 NO

Does it count if a general-use library is backdoored and it, among other things, gets into developer tools? (I think this happened with https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor/ )?

Does it count if a general-use library is backdoored with the specific intent to exclusively target a developer tool?

@jacksonpolack I would try to determine if the primary intent was to affect developer tool chains, but that may be difficult to assess. Evidence might include e.g. introducing a vulnerability in ProjectA and then promoting its use in a developer tool ProjectB. If there is no such evidence, I will be conservative in what counts as incidental vs intentional.