Hundreds of code libraries posted to NPM try to install malware on dev machines (arstechnica.com)
from mox@lemmy.sdf.org to programming@programming.dev on 05 Nov 2024 03:39
https://lemmy.sdf.org/post/24678589

#programming

threaded - newest

Flipper@feddit.org on 05 Nov 2024 08:05 collapse

Let’s see how long it will alles Till Rust hast the same Problems.

wkk@lemmy.world on 05 Nov 2024 19:17 collapse

Python with PyPI, C# with Nuget, Docker with Dockerhub, Java with Maven Central, hell even just regular Linux packages from dodgy repositories…

Supply chain attacks concern almost everything everyone everywhere.

mox@lemmy.sdf.org on 05 Nov 2024 22:37 collapse

This is one of the more important reasons to minimize dependencies and be very picky about the ones we adopt.

3h5Hne7t1K@lemmy.world on 06 Nov 2024 20:50 next collapse

Absolutely this. It almost seems like a controversial opinion sometimes, but microdependencies is a code smell imo. This could largely be improved by providing a more extended standard lib, at the cost of innovation and velocity maybe. I found this interesting: blessed.rs/crates

Acters@lemmy.world on 06 Nov 2024 21:05 next collapse

IDK about you but the company I work for can’t live without npm packages doing almost everything. For example: the is-even package.

Case@lemmynsfw.com on 07 Nov 2024 21:42 collapse

I don’t disagree. My last job was using winget to update some things. I raised the concept of trusting otherwise unknown updates, but I was pushed aside for the quick utility.

I’m only a student of cybersecurity, but I harshly judge my former “security expert” on far more than that.

Like fuck, the help desk has to install every patch, to every machine, through a spreadsheet?

No, deploy that shit from a server. Fuck.

In a way, I’m glad I left. In another way, I would really like a pay check again… and I moved to a well, tech illiterate state. Fuck me.

mox@lemmy.sdf.org on 07 Nov 2024 22:07 collapse

My condolences. Unfortunately, people are sometimes designated the in-house expert on a thing just because they seem slightly less ignorant of it than anyone else in the organization. That leaves more than a few people making decisions that impact security and privacy without good understanding or sound judgment in those areas.

Maybe you should train up and become your state’s new security expert?