Security researcher, Alex Birsan had an idea last year while working with Justin Gardner, another researcher. This idea led to him being able to gain access to over 35 major tech companies’ internal systems in a supply chain attack. Among these were Microsoft, Apple, Netflix and Uber. This particular supply chain attack is so sophisticated, it needed no action from the victims, who as a result automatically received malicious packages. The attack leveraged a unique design flaw of the open-source ecosystems.
However, every package the researcher published was done so using his own account with a clear disclaimer, which stated: “This package is meant for security research purposes and does not contain any useful code.” Birsan made over $130,000 for his research efforts.