Software downloaded 30k times from PyPI ransacked developers’ machines(arstechnica.com)
arstechnica.com
Software downloaded 30k times from PyPI ransacked developers’ machines
https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/
7 comments
crev is an open-source framework trying to fix this, using a web-of-trust approach to reviews: https://github.com/crev-dev/
Currently only available for Cargo, Rust's package manager, but more integrative are being developed.
Currently only available for Cargo, Rust's package manager, but more integrative are being developed.
While this is a logistical problem and people generally don't check code in the dependency tree, I already fear the security mechanisms that might spawn from this.
Did you have anything specific in mind?
stdlib or die.
/me flashes obscure gang insignia
/me flashes obscure gang insignia