The big attacks of today are spread across several package ecosystems: TrapDoor and Shai-Hulud have been hitting npm, pypi, composer, and crates with the same malware.

▲

throwwwll 2 hours ago | parent [-]

And all of them "thought" of security as an after-after-after-after-after-thought.

▲

freakynit 2 hours ago | parent | next [-]

Most of these are now building upon techniques that have already been exploited since past 1 years. This attack used 4 of those techniques.

1. Lifecycle Hook Execution

2. CI/CD Identity Plane Attacks

3. Maintainer Account Takeover and Malicious Publish

4. Self-Replicating npm Worms

https://npm-supply-chain-attack-techniques.pagey.site/

▲

throwwwll 2 hours ago | parent [-]

Regardless of what these attacks exploit, see elsewhere a larping comment of mine: the solution exists, the implementation already mitigated numerous such and other exploits (it's nice to read "nix is not affected" on discourse or over matrix chat), it predates Docker by a decade, and is older than Ubuntu and Fedora (to give the perspective), yet people prefer to remain ignorant.

	▲	zitterbewegung 2 hours ago \| parent [-]
		You can have a security solution but with large ecosystems like this it can’t be pushed to the ecosystem immediately and everyone will take longer to test and deploy. Right now you could audit packages and make sure you don’t get the latest version

▲

2 hours ago | parent | prev [-]

[deleted]