Supply-chain attack using invisible code hits GitHub and other repositories(arstechnica.com)
arstechnica.com
Supply-chain attack using invisible code hits GitHub and other repositories
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/
5 comments
Can anyone recommend any OSS tooling that could be used in something like a GH action workflow to automatically screen for these types of static attacks on code? Seems like something that should be part of an automated review pipeline if it's getting so hard for humans to visually review against this kind of stuff.
A linter that disallows any code that uses eval in any form seems like a good start to me.
What about for languages that allow pretty much anything in identifiers or variables. JS for example. Or bash. Don't need eval to do anything crazy there.
There's a real vulnerability here but whoever wrote this has no idea what they're talking about.