Hacker News new | ask | show | jobs
by freakynit 10 days ago
Most of these are now building upon techniques that have already been exploited since past 1 years. This attack used 4 of those techniques.

1. Lifecycle Hook Execution

2. CI/CD Identity Plane Attacks

3. Maintainer Account Takeover and Malicious Publish

4. Self-Replicating npm Worms

https://npm-supply-chain-attack-techniques.pagey.site/
1 comments
throwwwll 10 days ago
Regardless of what these attacks exploit, see elsewhere a larping comment of mine: the solution exists, the implementation already mitigated numerous such and other exploits (it's nice to read "nix is not affected" on discourse or over matrix chat), it predates Docker by a decade, and is older than Ubuntu and Fedora (to give the perspective), yet people prefer to remain ignorant.
link
zitterbewegung 10 days ago
You can have a security solution but with large ecosystems like this it can’t be pushed to the ecosystem immediately and everyone will take longer to test and deploy.

Right now you could audit packages and make sure you don’t get the latest version

link
throwwwll 7 days ago
That's bullshit and shows you don't understand nixpkgs model.
link