• wolf@lemmy.zip
    link
    fedilink
    English
    arrow-up
    17
    ·
    edit-2
    8 months ago

    Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

    It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

    • RedNight@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      8 months ago

      This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

      • wolf@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.