top | item 45841397

(no title)

ploxiln | 3 months ago

> it wouldn't be hard to get a bad update into a package (xz did that)

I'd actually call that quite difficult. In the case of xz it was a quite high-effort "long con" the likes of which we've never seen before, and it didn't quite succeed in the end (it was caught before rolling out to stable distros and did not successfully exploit any target). One huge close call, but so far zero successes, over almost 30 years now.

But typo-squatting and hijacked packages in NPM and PyPI, we've seen that 100s of times, many times successfully attacking developers at important software companies or just siphoning cryptocurrency.

discuss

walletdrainer|3 months ago

You could just hack someone responsible for the package you want to target or one of its dependencies, and skip the long con entirely.

Given the amount of potential targets, it would probably be trivial to get yourself into a position to cause devastating impact.

GuuD|3 months ago

Zero that we know of

0cf8612b2e1e|3 months ago

Certainly seems absurd to think that xz was the only target Jia Tan had been pursuing for years. Surely there were parallels initiatives to exploit other projects in the security chain.