" Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created? Unfortunately, with the way that certain programs are now being built, applications have grown susceptible to what's known as cross-build injection."
" If, as part of the build process, developers automatically retrieve external dependencies, such as open source components, then an attacker has an opportunity to insert code into a target program by compromising its third-party components. "