-
### Related Problem
Background: Supply chain attacks are becoming an increased vector for compromise.
Most recently, the open source library xz was compromised via a bad actor who inserted malic…
-
## Request Summary:
Open Source Module Supply Chain attacks pose a real risk to the community:
For example: https://www.zdnet.com/article/corrupted-open-source-software-enters-the-russian-battl…
-
# NPM Supply Chain Attack Vulnerability
## Overview (TL/DR)
With an internet based Election protocol, election tampering can be done at scale.
A Node.js/JavaScript library supply chain attack …
-
Today, opentelemetry-cpp got an attack in the form of:
* a PR, that wants to add binary files (a .zip) and shell scripts in the repo
This PR is deleted already, audit trail shows:
```
File C…
-
Before I begin, here's some supplementary reading material. I'll try to make this feature request make sense without reading any of this material, but in case I fail this should fill in any of the gap…
-
This is likely a long-term wish, but so it not gets entirely forgotten.
See https://go.dev/blog/supply-chain
Some ideas:
- We could add also transitive dependencies to the manifest to make them…
-
Consider if supply chain attacks on a compiler itself are within the scope of the book. For example, compilers are widely deployed and so could be an attractive target for an attacker to insert code i…
-
- [x] NPM `electron-native-notify` - https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
- [ ] NPM `event-stream` https://medium.com/@hkparker/analysis-of-a-suppl…
-
Hey,
I wasn't able to report this security vulnerability via the only given channel on BugCrowd. The BugCrowd triage team [said](https://bugcrowd.com/submissions/3f86e5a6-b68a-403d-aed8-3cab3904139…
-
In light of the `xz` attack:
* https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
audit the opentelemetry-cpp repository for possib…