Hacker News new | ask | show | jobs
by whatshisface 220 days ago
As always, hundreds watch the open repositories, maybe one watches a company's build servers, if they're lucky. :-)
1 comments
TylerE 220 days ago
Hundreds watch, but how closely?

Plenty of stories of fairly major projects having evil commits snuck in that remain for months.

link
alphager 220 days ago
Name a few.
link
TylerE 220 days ago
https://en.wikipedia.org/wiki/XZ_Utils_backdoor

https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-...

https://blog.linuxmint.com/?p=2994

https://www.bleepingcomputer.com/news/linux/malicious-packag...

https://www.cnx-software.com/2021/04/22/phd-students-willful...

I could go on but I trust this is a sufficient number of examples.

link
pona-a 219 days ago
Only two of these were actual malicious commits. Two others were malware inserted into the repositories (if Twitter could be thought of as a meta-repo), which is bad but not on the same scale.
link
dxxvi 219 days ago
I wonder why nowhere talked about who Jia Tan was. In my understanding, a few people already talked to that person. Now, does Jia Tan really vanish?
link