Malicious packages in open-source repositories are surging(cyberscoop.com)
25 pointsby mdp20217 hours ago1 comment
  • indigodaddy5 hours ago
    500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.
    • TacticalCoder4 hours ago
      I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".

      Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.