| ▲ | awongh 3 hours ago | ||||||||||||||||
I guess this is only specific to a file in the root of the repo, so it doesn't allow for an NPM supply chain attack? | |||||||||||||||||
| ▲ | beart 3 hours ago | parent [-] | ||||||||||||||||
It has nothing to do with npm. However, a binary could be configured to extract your git/npm secrets using this exploit, which could then lead to a npm supply chain attack (or pip, etc. etc.). | |||||||||||||||||
| |||||||||||||||||