On Mon, Apr 01, 2024 at 03:19:18PM -0500, Nate Bargmann wrote: > * On 2024 01 Apr 14:01 -0500, Andy Smith wrote: [...] > Until now, who anticipated this? I'm sure there are security > researchers who have and it's likely that I'm not well-read enough on > this topic to have seen it discussed. How many people did it occur to > that when A links to B and B links to C that C can create a > vulnerability in A? That is what I understand happened here. This pattern has been seen in other contexts. Here [1] is a good review of "supply chain attacks", which unsurprisingly happen most often in decentrally managed package distributions which at the same time have "production environments" where time-to-deploy is the main mover: npm, PyPi and RubyGems. If you don't have the time to even consider what the hundreds of packages you're ploughing into your app actually do, this is no surprise. So yes, the pattern was known. It was, up to now, pretty unusual in this context. But the deeper "the stack" becomes... (so I think Nate had a point. That Andy read that as a "systemd insult" is IMHO infortunate, because it clogs a potentially useful discussion. But there you are). The next level is using a package phantasized by your trusty "AI" [2] counsellor (and whose name was predicted by a malicious actor, because "AI" tends to phantasize names consistently). Note that this one was just (yet?) a proof of concept. Cheers [1] https://arxiv.org/abs/2005.09535 [2] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/ -- tomás
Attachment:
signature.asc
Description: PGP signature