Hacker News new | ask | show | jobs
by Phelinofist 38 days ago
Either my reading of your comment is wrong or you misunderstood the supply chain comment by OP I think: what they mean is that a supply chain attack that gets the exploit on a system would be great now because the reported vulns are unfixed pretty much everywhere
1 comments
CriticalRegion 38 days ago
No, you read it right. I just misunderstood the post's message as "these exploits will enable more supply chain attacks". I'll probably delete my comment since it's debating a strawman. It is absolutely right that these exploits might enable these attacks to have a larger impact. I still don't think that I agree with the message since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update.
link
Phelinofist 37 days ago
> since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update

In general I agree, but I think these two vulns are 0day-y and pretty much every major distro is affected AFAIU, so there is perhaps slightly more potential than usual

link
asqueella 37 days ago
Thanks for not deleting your question — I misunderstood the OP in the same way.
link