The many (many) ways I've backdoored your dependencies and other supply chain at

by severineon 4/25/2024, 9:42:32 AM with 5 comments
  • by OJFordon 4/26/2024, 12:04:30 PM

    So what do we do? I really think something like Firejail must be the way to go, but it's absolutely not ready for user-friendly prime time. And what do you do on macOS, or for every little tool like `ls` (where I want say filesystem access but not network).

    It all seems a bit hopeless, I refuse to believe anyone who claims to audit everything and every update - and would they have caught xz's backdoor anyway?

  • by boesboeson 4/26/2024, 11:40:27 AM

    Most of these point come down to: don't trust random shit from the internet and don't blindly pull it into your projects/env.

  • by karma_pharmeron 4/26/2024, 1:37:29 PM

    Enable JavaScript and cookies to continue

  • by mtmailon 4/26/2024, 11:52:34 AM

    "By now, you may have guessed that I didn't have literally backdoored your dependencies, but someone else may have, or will."

  • by eureka-beliefon 4/25/2024, 2:06:55 PM

    Broken link