Every time a project I build needs a library I don't personally know, I break into a cold sweat. I'm literally building applicant code sample tests in a VM now 
-
-
-
Heh. Yep! Using other people's code has been a known risk since the beginning of time.
End of conversation
New conversation -
-
-
Supply-chain attack
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
And now let’s consider the possibility that these were shipped as dependencies for docker images. All this convenience has made us more productive, but there’s a price we pay.
-
Ironically the trojan would then be safe - in this particular case!
- Show replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
- End of conversation
New conversation -
-
-
People talk about webassembly and similar things as safe because available resources are controlled. As someone dealing with passwords in my project, this vulnerability came to mind. Some sort of user defined resource access as libs are concerned maybe would be advantagous.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
This is not a new sort of threat. It's been around since forever. https://www.theregister.co.uk/2017/08/02/typosquatting_npm/ … But YES we need this in our threat model as developers. If you know a developer talk to them about
#security.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Speaker CoC required, she/they
