undefined | Better HN

0 pointsnicce3y ago0 comments

> There is no supply chain attack

Actually yes, this is all about supply chain attacks. Typosquatting is one of the most common methods. It goes under this category.

0 comments

__alexs3y ago

Spam is not a problem GitHub has ever had to seriously face so far but this sort of attack does seem like it could catch some users casually googling for libraries.

If you impersonated all these real repos, made npm, pypi packages for them etc and also updated the readme I think you could catch some people off guard.

nicceOP3y ago

This is a real problem indeed. There have been reports about successful ones.

https://www.theregister.com/2022/07/06/npm_supply_chain_atta...

https://www.idstrong.com/sentinel/npm-packages-info-stolen/

jhugo3y ago

The supply-chain attack is a self-inflicted attack if you're Googling a library and copy-pasting it as a Git dependency without so much as a glance at any of the numerous indicators that are screaming at you that it's untrustworthy.

It seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

nicceOP3y ago

> The supply-chain attack is a self-inflicted attack

It is attack regardless. Someone has made something malicious which affects for the process for the end-user acquiring the final software.

> it seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

I think the author just wanted to get attention and be sensational. He deliberately did not mention that they are forks. Just rushed to report findings.

j / k navigate · click thread line to collapse

0 comments

__alexs3y ago

Spam is not a problem GitHub has ever had to seriously face so far but this sort of attack does seem like it could catch some users casually googling for libraries.

If you impersonated all these real repos, made npm, pypi packages for them etc and also updated the readme I think you could catch some people off guard.

nicceOP3y ago

This is a real problem indeed. There have been reports about successful ones.

https://www.theregister.com/2022/07/06/npm_supply_chain_atta...

https://www.idstrong.com/sentinel/npm-packages-info-stolen/

jhugo3y ago

nicceOP3y ago

> The supply-chain attack is a self-inflicted attack

It is attack regardless. Someone has made something malicious which affects for the process for the end-user acquiring the final software.

I think the author just wanted to get attention and be sensational. He deliberately did not mention that they are forks. Just rushed to report findings.

j / k navigate · click thread line to collapse