« BackMalicious packages in open-source repositories are surgingcyberscoop.comSubmitted by mdp2021 2 days ago
  • jqpabc123 a day ago

    Open source is a system of prefect logic built on the foundation of a few flawed assumptions.

        - Money doesn't matter
    - Contributors are benevolent and altruistic
    - Commercial interests can't/won't game the process
    - Support and security is someone else's responsibility
    - Building useful and viable software is a fun hobby
    - All software should and will be Open Source
    • indigodaddy 2 days ago

      500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.

      • downboots 2 days ago

        it shouldn't be hard to believe when the attacker aims to infect as many as possible, no?

        • TacticalCoder 2 days ago

          I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".

          Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

          • dartos a day ago

            > Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

            I don’t doubt it. How often do you think people really audit their dependencies?

            And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.

            • vrighter 2 days ago

              which is the right approach, imo. The authors of a package are also responsible for which dependencies they depend on.

          • undefined a day ago
            [deleted]