|
|
|
|
|
|
by krinchan
1215 days ago
|
|
|
Most of these package systems being attacked run arbitrary code on your system when you install the package in order to allow native extensions to compile. Maven/Java simply downloads a (relatively) inert zip archive that your IDE might do some static analysis on to provide autocomplete. Along with all the scanning and what not, I think that’s the biggest reason you see attacks primarily on npm, PyPi, and to an extent Ruby Gems. |
|
|