4 comments

[ 4.9 ms ] story [ 20.2 ms ] thread
(comment deleted)
Where are the examples?
I guess you have to watch the 20 minute video massive eye roll

But skimming the video to places where there might actually be signal, there is at least one live npm example where there is a call to an external url and then a pipe to sh. This is pretty clearly malicious yet tools like Snyk and Dependabot list it as clean.

Might be worth someone running through the video to pull out the examples given so people benefit from this.

I think they're conflating two types of attacks here.

One is throwing shit at the wall and hoping it sticks (uploading malicious packages to registries)

And the other is a coordinated and long term attack where someone builds trust in an existing tool or package then inserts a backdoor with that trust.