this post was submitted on 11 Aug 2025
85 points (97.8% liked)

Open Source

40110 readers
289 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
85
Sonatype Uncovers Global Espionage Campaign in Open Source Ecosystems (www.sonatype.com)
submitted 2 weeks ago by pylapp@programming.dev to c/opensource@lemmy.ml
9 comments fedilink hide all child comments
top 9 comments
sorted by: hot top controversial new old
[–] PhilipTheBucket@piefed.social 15 points 2 weeks ago (1 children)

I feel like this is kind of the amateur-hour stuff. It's certainly dangerous, but in comparison to a lot of state-actor activities (or even committed-amateur activities), this kind of supply-chain attack is pretty blatant and easy to spot. Which doesn't mean it's easy to spot -- I just mean would be trivial to volunteer and contribute some minimal fixes and enhancements to some open source project, and then at one point smuggle in a zero-day that will basically never be detected unless someone detects the intrusion itself and then works backwards from there with a ton of time to spend on it.

If you've ever looked at the obfuscated C contest it should be obvious that this kind of thing can be made completely invisible if you know what you're doing. Some of the interactions and language features that lead to problems are basically impossible for a casual viewer to see, even if they're paying attention, and the attack surface is massive and the amount of attention that goes into checking it for weird subtle vulnerabilities is minuscule.

[–] eldavi@lemmy.ml 7 points 2 weeks ago (1 children)

I feel like this is kind of the amateur-hour stuff. It’s certainly dangerous, but in comparison to a lot of state-actor activities (or even committed-amateur activities), this kind of supply-chain attack is pretty blatant and easy to spot. Which doesn’t mean it’s easy to spot

the real worrisome stuff comes from state actors who know what they're doing and have captured the entire ecosystem to prevent it from being discovered until it doesn't matter any more. eg stuxnet, prism, etc.

[–] PhilipTheBucket@piefed.social 6 points 2 weeks ago (1 children)

Yeah, exactly. If you read the Snowden leaks to learn the details of what some of their actual capabilities are (smuggling flawed keys into the DH exchange for most major web browsers for example), it makes this stuff look like kids in their basements fucking around.

[–] eldavi@lemmy.ml 4 points 2 weeks ago (1 children)

i can't read them, they frighten me. lol

[–] pmk@lemmy.sdf.org 4 points 2 weeks ago (1 children)

How about these words: "Reflections on Trusting Trust".

[–] eldavi@lemmy.ml 1 points 1 week ago

i forgot that this was a thing and i think it's sure fire sign that i've left the developer fold. lol

[–] stsquad@lemmy.ml 9 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I've long avoided npm but attacks on PyPi are a worry.

[–] helloworld@lemmy.ml 1 points 20 hours ago

If you are paranoid enough: Run all pypi packages in a QubesOs virtual machine I guess?

[–] Flagstaff@programming.dev 6 points 2 weeks ago

Just great.