2024-08-06 –, Opal
Join us for a revealing exploration of open-source trust and its vulnerabilities. In this captivating workshop, we will delve into the fascinating world of developer credibility and the unsettling phenomenon of faking GitHub and HugginFace contributions. With open source becoming an integral part of software development, we find ourselves relying on strangers to provide us with code. Trust is often placed in factors like the number of stars on a package or the credibility of the package's maintainer on GitHub. However, what if I told you that all of this could be convincingly spoofed?
In the current era of software development, open-source collaboration stands as a paramount force, with trust serving as the fundamental cornerstone upon which this ecosystem flourishes.
In this workshop, we will show how to fake data on GitHub and/or (depending on the time) Hugging Face.
Tal Folkman is a seasoned senior malware researcher and accomplished expert in cybersecurity with over 8 years of experience in the field. Tal possesses exceptional skills in detecting and analyzing malicious code present in open-source software supply chains.
In 2021, Tal joined Dustico, a software supply chain security startup that was later acquired by Checkmarx. Prior to this, she served for 5 years as both member and leader of IDF's Cybersecurity Red Team. Currently, Tal and her team are dedicated to identifying and combating software supply chain attackers, thereby ensuring the safety and security of the ecosystem.