[Jenk]

Techies aren't immune either, before we all follow the "blame management" bandwagon for the 2^101-tieth time.

CEOs aren't the reason supply chain attacks are absolutely rife with problems right now. That's entirely on the technical experts who created all of those pinnacle achievements in tech ranging from tech-led orgs and open source community built package ecosystems. Arbitrary code execution in homebrew, scoop, chocolatey, npm, expo, cocoapods, pip... you name it, it's got infected.

The LastPass data breach happened because _the_ alpha-geek in that building got sloppy and kept the keys to prod on their laptop _and_ got phised.

[sebastiennight]

Wait, where can we read more about that? When you say "the keys to prod" do you mean the prod .ENV variables, or something else?

[Jenk]

https://www.theverge.com/2023/2/28/23618353/lastpass-securit...

An employee (dev/sysadmin) had their home device compromised via a supply chain attack, which installed a keylogger and the attacker(s) were able to exfiltrate the credentials to lastpass cloud envs.

[aftbit]

Yeah supply chain stuff is scary and still very open. This ranges from the easy stuff like typo-squatting pip packages or hacktavists changing their npm packages to wreck all computers in Russia up to the advanced backdoors like the xz hack.

Another big still mostly open category is speculative execution data leaks or other "abstraction breaks" like Rowhammer.

At least in theory things like Passkeys and ubiquitous password manager use should eventually start to cut down on simple phishing attacks.