> The so-called “dependency confusion attacks” work by uploading malicious packages to public code repositories and giving them names that are identical to legitimate packages stored in the internal repository of Microsoft, Apple, or another large software developer.
This is the key line. These attacks happen at installation specific organizations. The attackers haven't bypassed open source code review.
On this topic, something that drives me nuts about Python packaging is that the name of the top-level import often doesn’t match the name of the package. For example if you see `import yaml` in a Python script, you might try to run `pip3 install yaml`, but no, you should actually run `pip3 install pyyaml`.
6 comments
[ 3.6 ms ] story [ 23.4 ms ] threadHow many of those 41000 are automatic build systems, mirrors and security scanners?
importantpackage / important-package
pptest
ipboards
owlmoon
DiscordSafety
trrfab
10Cent10 / 10Cent11
yandex-yt
yiffparty
Time to have a talk with my fellow tech furs again.
This is the key line. These attacks happen at installation specific organizations. The attackers haven't bypassed open source code review.