This is truly the stuff of nightmares, and I'm definitely going to review our CI/CD infrastructure with this in mind. I'm eagerly awaiting learning what the initial attack vector was.
If people didn't allow macros in Excel, stayed in read-only mode in Word and only opened sandboxed PDFs (convert to images in sandbox, OCR result, stitch back together), we would see a sharp decline in successful breaches. But that would be boring.
So the attacker has to have exploits in every pdf reader app on linux? Since it is not Adobe only and there are quite a few. Or maybe a common backend engine (mupdf and popler)...
Yeah, I suspect that a rather lot of the options use the same libraries; https://en.wikipedia.org/wiki/Poppler_(software) claims that poppler is used by Evince, LibreOffice 4.x, and Okular (among others).
This has advantages and disadvantages; yes, if there is a security hole in it, it likely affects everything that uses it. But it also means it gets use-case tested more thoroughly, at a minimum. Ideally, all "stakeholders" would have a vested interest in doing reviews of their own, or perhaps pooling money to have the code scrutinized.
An attacker doesn’t need every attack to work every time. One breach is usually enough to get into your system, so long as they can get access to the right machine.
I heard a story from years ago that security researchers tried leaving USB thumb drives in various bank branches to see what would happen. They put autorun scripts on the drives so they would phone home when plugged in. Some 60% of them were plugged in (mostly into bank computers).
The attacker obviously does not need to have exploits in every pdf reader app on linux, it needs to have an exploit in a single pdf reader app out of all those which someone in your organization is using. If 99% of your employees are secure but 1% are not, you're vulnerable. Perhaps there's a receptionist in your Elbonian[1] branch on an outdated unpatched computer, and that's as good entry point in your network as any other, with possibilities for lateral movement to their boss or IT support persons' account and onwards from there. In this particular case, a developer's Linux machine was the point of persistence where the malware got inserted into their server builds, however, most likely that machine wasn't the first point of entrance in their syetems.
Remember how Adobe removed Flash support from Acrobat a couple of years back? Attacks like this are why. Well, and Flash had other issues, too.
I'm not sure when you started using PDFs (I remember mid-90s when my Dad told me about this cool new document format that would standardize formats across platforms, screen and paper!), but hardly anything is static any more.
The nexus of unsafe programming languages and exploit markets, where for the right price you can purchase undisclosed bugs basically ready to use. Modern offensive security is essentially a bit like shopping in Ikea
