Malicious packages in open-source repositories are surging

jqpabc123 · 2024-10-12T13:22:25 1728739345

Open source is a system of prefect logic built on the foundation of a few flawed assumptions.

    - Money doesn't matter
    - Contributors are benevolent and altruistic
    - Commercial interests can't/won't game the process
    - Support and security is someone else's responsibility
    - Building useful and viable software is a fun hobby
    - All software should and will be Open Source

indigodaddy · 2024-10-11T21:59:39 1728683979

500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.

TacticalCoder · 2024-10-11T23:16:09 1728688569

I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".

Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

vrighter · 2024-10-12T06:58:14 1728716294

which is the right approach, imo. The authors of a package are also responsible for which dependencies they depend on.

dartos · 2024-10-12T12:38:50 1728736730

> Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.

I don’t doubt it. How often do you think people really audit their dependencies?

And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.

downboots · 2024-10-12T11:16:59 1728731819

it shouldn't be hard to believe when the attacker aims to infect as many as possible, no?