btaf45@lemmy.world to Technology@lemmy.worldEnglish · 17 days agoHundreds of code libraries posted to NPM try to install malware on dev machinesarstechnica.comexternal-linkmessage-square33fedilinkarrow-up1250arrow-down12cross-posted to: pulse_of_truth@infosec.pubprogramming@programming.devcybersecurity@sh.itjust.works
arrow-up1248arrow-down1external-linkHundreds of code libraries posted to NPM try to install malware on dev machinesarstechnica.combtaf45@lemmy.world to Technology@lemmy.worldEnglish · 17 days agomessage-square33fedilinkcross-posted to: pulse_of_truth@infosec.pubprogramming@programming.devcybersecurity@sh.itjust.works
minus-squareKairos@lemmy.todaylinkfedilinkEnglisharrow-up7·16 days agoOr at the very fucking least require specific versions with checksums, like golang.
minus-squareLavenderDay3544@lemmy.worldlinkfedilinkEnglisharrow-up2·16 days agoI really think every package repository should be opt in and every publisher should be required to verify their identity and along with checksum verification for the downloaded files.
Or at the very fucking least require specific versions with checksums, like golang.
I really think every package repository should be opt in and every publisher should be required to verify their identity and along with checksum verification for the downloaded files.