Hacker News new | ask | show | jobs
by rvz 1420 days ago
Oh dear. This is a gigantic disaster.

If lots of software released today haven't been pinning their versions on release (especially Electron apps) or signing their commits if they are open-source, then this is a chaotic supply chain attack waiting to happen and is more worse than I thought.

But really it is yet, another reason to avoid GitHub entirely and just self-host using GitLab or Gitea.
2 comments
jhugo 1420 days ago
You may have misunderstood (understandably, because the tweets seem to be deliberately misleading). These are malicious commits in forks of repositories. There is no supply chain attack unless you make a habit of taking random forks of popular projects from GitHub and inserting them into your supply chain.
link
nicce 1420 days ago
> There is no supply chain attack

Actually yes, this is all about supply chain attacks. Typosquatting is one of the most common methods. It goes under this category.

link
__alexs 1420 days ago
Spam is not a problem GitHub has ever had to seriously face so far but this sort of attack does seem like it could catch some users casually googling for libraries.

If you impersonated all these real repos, made npm, pypi packages for them etc and also updated the readme I think you could catch some people off guard.

link
nicce 1420 days ago
This is a real problem indeed. There have been reports about successful ones.

https://www.theregister.com/2022/07/06/npm_supply_chain_atta...

https://www.idstrong.com/sentinel/npm-packages-info-stolen/

link
jhugo 1420 days ago
The supply-chain attack is a self-inflicted attack if you're Googling a library and copy-pasting it as a Git dependency without so much as a glance at any of the numerous indicators that are screaming at you that it's untrustworthy.

It seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

link
nicce 1420 days ago
> The supply-chain attack is a self-inflicted attack

It is attack regardless. Someone has made something malicious which affects for the process for the end-user acquiring the final software.

> it seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

I think the author just wanted to get attention and be sensational. He deliberately did not mention that they are forks. Just rushed to report findings.

link
szundi 1420 days ago
The last paragraph is orthogonal to the problem that an npm install poses here, wherever your repo is.
link