Hacker News new | ask | show | jobs
by jhugo 1420 days ago
You may have misunderstood (understandably, because the tweets seem to be deliberately misleading). These are malicious commits in forks of repositories. There is no supply chain attack unless you make a habit of taking random forks of popular projects from GitHub and inserting them into your supply chain.
1 comments
nicce 1420 days ago
> There is no supply chain attack

Actually yes, this is all about supply chain attacks. Typosquatting is one of the most common methods. It goes under this category.

link
__alexs 1420 days ago
Spam is not a problem GitHub has ever had to seriously face so far but this sort of attack does seem like it could catch some users casually googling for libraries.

If you impersonated all these real repos, made npm, pypi packages for them etc and also updated the readme I think you could catch some people off guard.

link
nicce 1420 days ago
This is a real problem indeed. There have been reports about successful ones.

https://www.theregister.com/2022/07/06/npm_supply_chain_atta...

https://www.idstrong.com/sentinel/npm-packages-info-stolen/

link
jhugo 1420 days ago
The supply-chain attack is a self-inflicted attack if you're Googling a library and copy-pasting it as a Git dependency without so much as a glance at any of the numerous indicators that are screaming at you that it's untrustworthy.

It seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

link
nicce 1420 days ago
> The supply-chain attack is a self-inflicted attack

It is attack regardless. Someone has made something malicious which affects for the process for the end-user acquiring the final software.

> it seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

I think the author just wanted to get attention and be sensational. He deliberately did not mention that they are forks. Just rushed to report findings.

link