Malicious packages in open-source repositories are surging(cyberscoop.com)
37 pointsby mdp20212 years ago3 comments
  • jqpabc1232 years ago
    Open source is a system of prefect logic built on the foundation of a few flawed assumptions.

        - Money doesn't matter
    - Contributors are benevolent and altruistic
    - Commercial interests can't/won't game the process
    - Support and security is someone else's responsibility
    - Building useful and viable software is a fun hobby
    - All software should and will be Open Source
  • indigodaddy2 years ago
    500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.
    • TacticalCoder2 years ago
      I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".

      Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

      • vrighter2 years ago
        which is the right approach, imo. The authors of a package are also responsible for which dependencies they depend on.
      • dartos2 years ago
        > Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

        I don’t doubt it. How often do you think people really audit their dependencies?

        And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.

    • downboots2 years ago
      it shouldn't be hard to believe when the attacker aims to infect as many as possible, no?
  • 2 years ago
    undefined