Software Has a Serious Supply-Chain Security Problem

THE WARNINGS CONSUMERS hear from information security pros tend to focus on trust: Don’t click web links or attachments from an untrusted sender. Only install applications from a trusted source or from a trusted app store. But lately, devious hackers have been targeting their attacks further up the software supply chain, sneaking malware into downloads from even trusted vendors, long before you ever click to install.

On Monday, Cisco’s Talos security research division revealed that hackers sabotaged the ultra-popular, free computer-cleanup tool CCleaner for at least the last month, inserting a backdoor into updates to the application that landed in millions of personal computers. That attack betrayed basic consumer trust in CCleaner-developer Avast, and software firms more broadly, by lacing a legitimate program with malware—one distributed by a security company, no less.