Sonatype Uncovers Global Espionage Campaign in Open Source Ecosystems (www.sonatype.com)

submitted 5 days ago by pylapp@programming.dev to c/opensource@lemmy.ml

8 comments fedilink hide all child comments

top 8 comments

sorted by: hot top controversial new old

[-] PhilipTheBucket@piefed.social 15 points 5 days ago

I feel like this is kind of the amateur-hour stuff. It's certainly dangerous, but in comparison to a lot of state-actor activities (or even committed-amateur activities), this kind of supply-chain attack is pretty blatant and easy to spot. Which doesn't mean it's easy to spot -- I just mean would be trivial to volunteer and contribute some minimal fixes and enhancements to some open source project, and then at one point smuggle in a zero-day that will basically never be detected unless someone detects the intrusion itself and then works backwards from there with a ton of time to spend on it.

If you've ever looked at the obfuscated C contest it should be obvious that this kind of thing can be made completely invisible if you know what you're doing. Some of the interactions and language features that lead to problems are basically impossible for a casual viewer to see, even if they're paying attention, and the attack surface is massive and the amount of attention that goes into checking it for weird subtle vulnerabilities is minuscule.

[-] eldavi@lemmy.ml 7 points 5 days ago

I feel like this is kind of the amateur-hour stuff. It’s certainly dangerous, but in comparison to a lot of state-actor activities (or even committed-amateur activities), this kind of supply-chain attack is pretty blatant and easy to spot. Which doesn’t mean it’s easy to spot

the real worrisome stuff comes from state actors who know what they're doing and have captured the entire ecosystem to prevent it from being discovered until it doesn't matter any more. eg stuxnet, prism, etc.

[-] PhilipTheBucket@piefed.social 6 points 5 days ago

Yeah, exactly. If you read the Snowden leaks to learn the details of what some of their actual capabilities are (smuggling flawed keys into the DH exchange for most major web browsers for example), it makes this stuff look like kids in their basements fucking around.

[-] eldavi@lemmy.ml 4 points 5 days ago

i can't read them, they frighten me. lol

[-] pmk@lemmy.sdf.org 4 points 5 days ago

How about these words: "Reflections on Trusting Trust".

[-] eldavi@lemmy.ml 1 points 3 days ago

i forgot that this was a thing and i think it's sure fire sign that i've left the developer fold. lol

[-] stsquad@lemmy.ml 9 points 5 days ago* (last edited 5 days ago)

I've long avoided npm but attacks on PyPi are a worry.

[-] Flagstaff@programming.dev 6 points 5 days ago

Just great.

this post was submitted on 11 Aug 2025

84 points (98.8% liked)

Open Source

39885 readers

163 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml