undefined | Better HN

0 pointsb40d-48b2-979e1mo ago0 comments

No, we don't. We see build system attacks, such as injecting malicious scripts into their CI and getting malicious code into the artifact for use at runtime. You don't see someone doing a drive-by PR to a `setup.py`.

0 comments

2 comments · 1 top-level

isityettime1mo ago· 1 in thread

Not a drive-by PR, but once a package is compromised it often does spread to its reverse-dependencies via mechanisms like setup.py at build time. There was case like this with setup.py less than two months ago: https://www.stepsecurity.io/blog/forcememo-hundreds-of-githu...

Lots of npm supply chain attacks propagate at build time via post-install hooks, too.

isityettime1mo ago

Oh look, today furnished us with a new example: https://github.com/TanStack/router/issues/7383

j / k navigate · click thread line to collapse