There are several thousand expired email domains of maintainers right now on NPM alone, allowing you to easily take over their accounts if you wanted, arguably legally, for maybe $10. I bought the domain name of the sole maintainer of the NPM package "foreach", gaining control of their email address and likely password reset capabilities, just to prove this point and troll the press a bit, which worked better than I could have ever hoped. And yet, still not -enough- press because almost no one is doing anything about it yet.
With easily over a million published open source packages that exist, and it being -so- easy to take them over since almost no one uses hardware code signing or 2FA, and with well above 365 documented/discovered cases every year, (obviously not counting all the ones that are -not- discovered!) "every day" is a given.
If anything with LLM based pull request attacks spiking right now, I assume several malicious commits will be merged today. Most will look like accidents, hard to spot, and merged helpfully by bots that automatically merge commits to major distros. The floodgates are wide open.
"Sonatype logged over 245,032 malicious packages in open source projects available to public download in 2023, double the number seen from 2019 to 2022. In total, one in eight open source downloads poses a risk."
lrvick|6 months ago
With easily over a million published open source packages that exist, and it being -so- easy to take them over since almost no one uses hardware code signing or 2FA, and with well above 365 documented/discovered cases every year, (obviously not counting all the ones that are -not- discovered!) "every day" is a given.
If anything with LLM based pull request attacks spiking right now, I assume several malicious commits will be merged today. Most will look like accidents, hard to spot, and merged helpfully by bots that automatically merge commits to major distros. The floodgates are wide open.
"Sonatype logged over 245,032 malicious packages in open source projects available to public download in 2023, double the number seen from 2019 to 2022. In total, one in eight open source downloads poses a risk."
https://www.cpomagazine.com/cyber-security/open-source-softw...