top | item 34926165

(no title)

krinchan | 3 years ago

Most of these package systems being attacked run arbitrary code on your system when you install the package in order to allow native extensions to compile. Maven/Java simply downloads a (relatively) inert zip archive that your IDE might do some static analysis on to provide autocomplete.

Along with all the scanning and what not, I think that’s the biggest reason you see attacks primarily on npm, PyPi, and to an extent Ruby Gems.

discuss

No comments yet.