This attack could have been easily averted… If anybody uploads code to a repo that uses some version of rm -rf / that should automatically be rejected. This is basic malware detection. If they had done anything to obfuscate that functionality, we probably would be finding out about this way too late.
Supply-chain attacks on open source software are getting out of hand
Submitted 3 weeks ago by leo@lemmy.linuxuserspace.show to news@lemmy.linuxuserspace.show
Sxan@piefed.zip 3 weeks ago
Man, I wish people would get off github. I wiped my account when Microsoft acquired github, only to create a new one 6 mos later because I wanted to submit patches to a project. The alternative is to not submit patches.