If you're one of millions using element-data, it's time to check for compromise.
See full article...
See full article...
Open source package with 1 million monthly downloads stole user credentials
- Thread starter JournalBot
- Start date
The paranoia of larger corporations controls on use of external software is starting to look justified.
Developers of all sizes would be wise to take a far more critical look at whether, when, and how to accept upgrades of external components.
For one thing, restricting packages to versions that have been available for 30 days or other reasonable bake time (unless there are critical security fixes) gives quite a bit of protection from watering hole attacks by letting others be the guinea pigs.
It would be lovely if package update tools supported this directly.
But regardless of policy, each update should be individually examined and “update all package” actions need to die.
Yes, this takes time and effort. But attacks like these are why we can’t have nice things.
Developers of all sizes would be wise to take a far more critical look at whether, when, and how to accept upgrades of external components.
For one thing, restricting packages to versions that have been available for 30 days or other reasonable bake time (unless there are critical security fixes) gives quite a bit of protection from watering hole attacks by letting others be the guinea pigs.
It would be lovely if package update tools supported this directly.
But regardless of policy, each update should be individually examined and “update all package” actions need to die.
Yes, this takes time and effort. But attacks like these are why we can’t have nice things.
Upvote
42
(42
/
0)
I fear this is true. But it’s also likely to cause other maintainers and users to take a closer look at the actual changes, so it’s a bit of a mixed bag for the attacker.
Upvote
3
(3
/
0)
- Status