"An attacker would be able to manipulate the source code or insert malicious content into the newly claimed Pod," EVA warned. "This pod would then go on to infect many downstream dependencies."
EVA said that mentions of orphaned Pods appeared in the documentation of applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.
The security researchers found 685 Pods that had an explicit dependency using an orphaned Pod, likely a fraction of the true figure once proprietary codebases are factored into the equation.
Collection
[
|
...
]