• tal
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    2 months ago

    I don’t think that that’s a counter to the specific attack described in the article:

    The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.

    That’d be a counter if you have some known-good version of a package and are worried about updates containing malicious software.

    But in the described attack, they’re not trying to push malicious software into legitimate packages. They’re hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).