(It occurs to me that this tweet may need the elaboration “fuddy duddy is an (archaic?) US colloquialism for an older person who is distinctly uncool.”)
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If that hacker that inserted the backdoor would have just triaged and merged some PRs first, we could say that we finally found a sustainable method for monetizing open source maintenance. The solution was crypto, just not in the way we were hoping.
-
They genuinely did make legit contributions first! That's how they convinced the maintainer to give them ownership:https://twitter.com/rauchg/status/1067160250061635584 …
- 1 more reply
New conversation -
-
-
js/npm is definitely ripe for attack as opposed to other langs like go: - deps are often minified which is indistinguishable from obsfucation - most people don’t check in their deps but allow it to be resolved at deploy time so if changes occur you don’t see them
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Definitely not the first time. ESLint-scope (https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/ …) and GetCookies (https://thenewstack.io/npm-attackers-sneak-a-backdoor-into-node-js-deployments-through-dependencies/ …) almost perfectly mirror the 2017 warnings from Chalker (weak NPM dev passwords on important libs) and Gilbertson (quietly malicious dependencies).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I mean I hate to be all "Told you so!!!" but.... Nah, who am I kidding, I'm totally into saying that.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
So uncool.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
And it’s scary to think the dependency management systems for all languages have a similar vulnerability to some degree
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.