The ‘Trojan Source’ Attack Method Allows the Injection of Vulnerabilities Into Open-Source Code

Unfortunately, by using this method the vulnerabilities cannot be detected by human reviewers.

To build vulnerable binaries, Trojan Source uses a simple method that does not need to alter the compiler.

Malicious actors can utilize the technology to target supply chains attacks because it works with some of the most frequently used computer languages today.

The “Trojan Source” class of attacks, that might compromise first-party software and supply chains, was revealed and demonstrated by the researchers from the University of Cambridge.

They illustrate how an attacker may target the encoding of source code files to introduce vulnerabilities in projects written in C, C++, C#, JavaScript, Java, Rust, Go, and Python.

The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens.
Compilers and interpreters adhere to the logical ordering of source code, not the visual order.


A threat actor can reorganize source code to modify its logic in a way that generates an exploitable vulnerability by employing control characters included in comments and strings.

We have

Read More: