| ▲ | charcircuit 3 hours ago | |
Does OIDC flow block this same issue of being able to use a RAT to publish a malicious package? | ||
| ▲ | fortuitous-frog 3 hours ago | parent | next [-] | |
No. axios (v1 at least; not v0) were setup to publish via OIDC, but there's no option on npmjs for package maintainers to restrict their package to *only* using OIDC. The maintainer says his machine was infected via RAT, so if he was using software-based 2FA, nothing could have prevented this. | ||
| ▲ | hsbauauvhabzb 3 hours ago | parent | prev [-] | |
No, once the computer is compromised nothing really helps assuming the attacker is patient enough. | ||