|
|
|
|
|
|
by isityettime
39 days ago
|
|
|
Not a drive-by PR, but once a package is compromised it often does spread to its reverse-dependencies via mechanisms like setup.py at build time. There was case like this with setup.py less than two months ago: https://www.stepsecurity.io/blog/forcememo-hundreds-of-githu... Lots of npm supply chain attacks propagate at build time via post-install hooks, too. |
|
|