I guess you have to watch the 20 minute video massive eye roll
But skimming the video to places where there might actually be signal, there is at least one live npm example where there is a call to an external url and then a pipe to sh. This is pretty clearly malicious yet tools like Snyk and Dependabot list it as clean.
Might be worth someone running through the video to pull out the examples given so people benefit from this.
4 comments
[ 4.9 ms ] story [ 20.2 ms ] threadBut skimming the video to places where there might actually be signal, there is at least one live npm example where there is a call to an external url and then a pipe to sh. This is pretty clearly malicious yet tools like Snyk and Dependabot list it as clean.
Might be worth someone running through the video to pull out the examples given so people benefit from this.
One is throwing shit at the wall and hoping it sticks (uploading malicious packages to registries)
And the other is a coordinated and long term attack where someone builds trust in an existing tool or package then inserts a backdoor with that trust.