No one has fixed the fundamental problems that allow any of these to happen after years and years.
Now put "supply chain attack" into any news search engine today.
Attacks of this nature are up by 400-1500%+ in recent years depending on whose estimates you trust. They are easy, they are common, they are everywhere... and most security engineers and sysadmins are entirely asleep on the wheel on this one.
Most of our consulting work these days is mitigating these risks in the most critical deployment and code paths of our clients.
lrvick|6 months ago
* Gentoo: https://archives.gentoo.org/gentoo-announce/message/dc23d48d...
* Debian: https://lists.debian.org/debian-devel-announce/2006/07/msg00...
* NPM: https://eslint.org/blog/2018/07/postmortem-for-malicious-pac...
* PyPi: https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_...
* Ubuntu Snap: https://github.com/canonical-websites/snapcraft.io/issues/65...
* Arch Linux AUR: https://lists.archlinux.org/pipermail/aur-general/2018-July/...
* Homebrew: https://medium.com/@vesirin/how-i-gained-commit-access-to-ho...
No one has fixed the fundamental problems that allow any of these to happen after years and years.
Now put "supply chain attack" into any news search engine today.
Attacks of this nature are up by 400-1500%+ in recent years depending on whose estimates you trust. They are easy, they are common, they are everywhere... and most security engineers and sysadmins are entirely asleep on the wheel on this one.
Most of our consulting work these days is mitigating these risks in the most critical deployment and code paths of our clients.
sturob|6 months ago
That said: 'every day' does seem quite hyperbolic.