Hacker News new | past | comments | ask | show | jobs | submit login

So who's behind this? Who's doing something about it? Where's Homeland Security on this? This is their job. This is an attack.

"The ease of automatic generation of accounts and repos on GitHub and alike, using comfortable APIs and soft rate limits that are easy to bypass, combined with the huge number of repos to hide among, make it a perfect target for covertly infecting the software supply chain. This campaign, along with dependency confusion campaigns plaguing package registries and generally malicious code being spread through source control managers, demonstrates how fragile software supply chain security is, despite the abundance of tools and available security mechanisms."




> how fragile software supply chain security is, despite the abundance of tools and available security mechanisms

There seems to be a fundamental trade-off at play. I often see security portrayed as a hindrance, requirements thereof as a drag on productivity. That is in line with a strong trend in developers with a very narrow skill set. The ability to throw framework at the wall and see what sticks pays very well. No one wants a stick in the mud asking why on Earth dependency management is at the state it is, or imposing reasonable security practices. I have been there, I have argued with developers from teams that had been breached before saying "no, this is safe because I can't see how this could be exploited". Security by obscurity so deeply ingrained one takes obscurity from oneself as evidence of safety.


It's worse, if you address these things seriously, like, as another post here addressed last week, about software quality, you get rapidly stopped in your tracks. Like you say and more; 'but everyone does it like this, why would we waste time?' and 'It is safe enough, maybe later we'll revisit'. It is kind of true clients don't pay for it directly, however, indirectly, it can tank a company.


Herd mentality gets a bad rap, but it generally works for the herd.


Works well on average, and remember that bad actors are also part of the overall herd. It can be very detrimental to the individual (person or company).


Where's GitHub Fraud Detection Team?



That sort of thing happens because there's so much spam and malicious activity, such as the thing reported in this story.


> So who's behind this? Who's doing something about it?

CISA[0] might be a good agency to begin with, if for no other reason than to find a more appropriate one to contact.

0 - https://www.cisa.gov/about


> Where's Homeland Security on this?

Who knows who's behind it?


Isn't that what they should be investigating? Are you trying to imply something with that question?


Its not unheard of for intelligence agencies to create and exploit weaknesses.


The Vault7 operators called. They want their exploit back.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: