Attackers invite targets to collaborate on a project, convincing them to download and run a repository with malicious npm dependencies.
Attackers invite targets to collaborate on a project, convincing them to download and run a repository with malicious npm dependencies.
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
You're viewing a single thread.
How do Linux distro's deal with this? I feel like however that's done, I'd like node packages to work in a similar way - "package distro's". You could have rolling-release, long-term service w/security patches, an application and verification process for being included in a distro, etc.
It wouldn't eliminate all problems, of course, but could help with several methods of attack, and also help focus communities and reduce duplication of effort.
Linux distros typically use a key signing party to help shore up their security concerns, but I wonder how github would go about implementing something like that.