Yes, this is a real problem. But the text of the email makes it seem the author was a target of some troll attack. The names do not look real on gmail (Diego jewstein ???) and the text is very llm’ish.
I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes
That's a good call on the possibility that this is an attack, which I personally hadn't considered despite the recency of the xz shenanigans. At least the maintainer seems to have thought of it.
> Also, I will consider turning it over to an interested party, but I will require at least one recommendation from a Node.js core contributor that I can vet with the people that I know on that team.
Maybe not a perfect solution but it's something. Granted, a new fork might become popular but people could rightly call it into question given this statement.
> I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes
Maybe. I had not considered that, but it might be right.
There are mitigations of such an attack although you will have to be careful; such mitigations might not really stop it if you are not careful.
I’m surprised gmail spam filters didn’t catch this.
I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes