Backdoors snuck into 12 OSS packages were downloaded hundreds of thousands of times. //

The only recourse once a server installs a backdoored app is to perform a complete rebuild, a task so onerous it’s sure to be skipped by many of the 100,000 or more systems that received one of the maliciously tampered packages discovered this week.

“Without a clean reinstall of the OS and application, along with key and credential rotation, there is a significant risk that the system will remain compromised,” Kenn White, director of the Open Crypto Audit Project, told Ars. “I've declined more than one engagement because the operators believed they could manually inspect the system via, for example, file differences, and make a valid assessment themselves. That's naive, to say the least.”