crp Posted July 20, 2022 Share Posted July 20, 2022 Is this issue still a problem? Is there some sort of vetting that occurs when new people take over project maintanance? Quote A hugely popular open source Javascript npm module had malicious code injected after the original developer handed it over to another unknown person to maintain. https://www.itnews.com.au/news/unknown-dev-gets-rights-to-popular-module-adds-crypto-stealer-516106 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted July 21, 2022 Share Posted July 21, 2022 Well this is a problem for most OSs and its not just hackers, governments as well actively try to exploit applications nowadays. Also you have to remember its kind of rare when you hear about this happening with linux and open source. This is literally a daily issue for other OSs. Is it any better? An attack is an attack but I would rather it be a rare thing versus having to worry about a constant attack threat. It's a matter of opsec (operational security) on what you deem a security issue or threat. Something like this, is a non-event for most users. That said, with opensource these things are quickly fixed when found. Most opensource code is audited but smaller project just do not get the amount of views as the more popular ones. Quote Link to comment Share on other sites More sharing options...
goretsky Posted August 1, 2022 Share Posted August 1, 2022 Hello, There have been other issues with other NPM packages, just like there have been issues with web browser extensions after they get sold by the original developer, etc. I think there are a lot of people who don't review the source code or just download the precompiled binaries for projects. It's understandable that not everyone can (or is able to) review all source code before installing a package, though. Regards, Aryeh Goretsky 1 Quote Link to comment Share on other sites More sharing options...
goretsky Posted August 3, 2022 Share Posted August 3, 2022 Hello, Case in point: Regards, Aryeh Goretsky 1 Quote Link to comment Share on other sites More sharing options...
crp Posted August 4, 2022 Author Share Posted August 4, 2022 Yikes, today? well at least nothing important is being hit. Quote Link to comment Share on other sites More sharing options...
crp Posted August 5, 2022 Author Share Posted August 5, 2022 On 8/3/2022 at 3:58 AM, goretsky said: Hello, Case in point: Regards, Aryeh Goretsky WheW! turns out Stephen's original post left out a lot of context . Things not nearly so bad as indicated. "35,000 code repos not hacked—but clones flood GitHub to serve malware" 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted August 6, 2022 Share Posted August 6, 2022 Wow, that is quite a few infected repos. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.