PSA: Supply chain attack on rest-client, an extremely widely deployed Ruby library.https://github.com/rest-client/rest-client/issues/713 …
-
Show this thread
-
If you're not rigorously auditing dependencies [+], you're as secure as the least secure account, application, or trusted application of the least secure person with commit access in your supply chain. [+] You are not. [++] [++] No, really, you are not.
3 replies 19 retweets 43 likesShow this thread -
A mitigation here, which you will probably want anyhow, is to only upgrade dependencies based on explicit choice rather than slurping down upgrades optimistically. This mitigation is not normative in some development communities, which may pose some cultural challenges.
4 replies 0 retweets 18 likesShow this thread
Having your application evaluate code grabbed from Pastebin at runtime [0] will *also* pose some cultural challenges, though. [0] The attack payload here.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.