Misconfigured permissions in Google's Gerrit platform may have allowed attackers to inject malicious code into ChromiumOS and other projects. A specific permission issue and a race condition in the merge process potentially left at least 18 projects open to supply chain attacks, enabling malicious code to be merged without user interaction.