loading page

Invisible Supply Chain Attacks Based on Trojan Source
  • +2
  • Emanuele Buchicchio ,
  • Luca Grilli ,
  • Diego Antonini ,
  • Eros Capobianco ,
  • Salvatore Cipriano
Emanuele Buchicchio
Department of Engineering University of Perugia

Corresponding Author:[email protected]

Author Profile
Luca Grilli
Author Profile
Diego Antonini
Author Profile
Eros Capobianco
Author Profile
Salvatore Cipriano
Author Profile


A new class of vulnerabilities, called trojan source, has been recently discovered by Boucher and Anderson. They allow attackers to inject specific Unicode control characters in the source code of a software project, such that what text editors visualize differs from what compilers interpret. In the absence of specific protections, trojan source vulnerabilities can be exploited to launch effective supply chain attacks that appear invisible to developers.
This work describes the state of the art of known trojan source attacks, illustrates two new attack variants involving configuration files and Java code, and describes practical preventive measures. The first variant affects Java platforms and may enable the execution of instructions injected within comments. Whereas the second variant exploits BiDi and homoglyph Unicode symbols within source code and configuration files. We also give several proofs of concept for many popular development platforms and provide a detection tool that can be easily integrated into the build process.
Oct 2022Published in Computer volume 55 issue 10 on pages 18-25. 10.1109/MC.2022.3190801