“Fortify has identified a new class of bug that is designed to
take advantage of the atmosphere of trust that occurs while
developers are playing with open source code. It’s called
‘build-process injection,’ a Trojan horse that allows hackers to
insert malicious code into the target program while it is being
constructed.“In this case, hackers can surreptitiously replace source code
sitting in the repository with an infected version. The result is
that the Trojan horse could start doing its dirty work before the
application ever gets to test phase, or depending on the design of
the malware, at any point thereafter…”