Malicious packages in open-source repositories are surging(cyberscoop.com)
37 pointsby mdp20219 months ago3 comments
  • jqpabc1239 months ago
    Open source is a system of prefect logic built on the foundation of a few flawed assumptions.

        - Money doesn't matter
    - Contributors are benevolent and altruistic
    - Commercial interests can't/won't game the process
    - Support and security is someone else's responsibility
    - Building useful and viable software is a fun hobby
    - All software should and will be Open Source
  • indigodaddy9 months ago
    500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.
    • TacticalCoder9 months ago
      I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".

      Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

      • vrighter9 months ago
        which is the right approach, imo. The authors of a package are also responsible for which dependencies they depend on.
      • dartos9 months ago
        > Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

        I don’t doubt it. How often do you think people really audit their dependencies?

        And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.

    • downboots9 months ago
      it shouldn't be hard to believe when the attacker aims to infect as many as possible, no?
  • 9 months ago
    undefined