I'd say it doesn't exactly meet the minimum standard for a CVE, as it's more of a technique vs. an actual vulnerability in an application/library. If there was a repo that had a vulnerable component that was currently infected through the manner described, that specific instance would probably qualify as a CVE.
Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:
- CWE-506: Embedded Malicious Code or
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere or
- CWE-1395: Dependency on Vulnerable Third-Party Component
Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:
- CWE-506: Embedded Malicious Code or - CWE-829: Inclusion of Functionality from Untrusted Control Sphere or - CWE-1395: Dependency on Vulnerable Third-Party Component
From Snyk's docs they also explain it: https://github.com/snyk/user-docs/blob/main/docs/manage-risk...
"In almost all cases, malicious packages are not assigned a CVE ID."