this post was submitted on 11 Aug 2025
85 points (98.9% liked)

Open Source

40590 readers
151 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
85
Sonatype Uncovers Global Espionage Campaign in Open Source Ecosystems (www.sonatype.com)
submitted 1 month ago by pylapp@programming.dev to c/opensource@lemmy.ml
9 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] eldavi@lemmy.ml 7 points 1 month ago (1 children)

I feel like this is kind of the amateur-hour stuff. It’s certainly dangerous, but in comparison to a lot of state-actor activities (or even committed-amateur activities), this kind of supply-chain attack is pretty blatant and easy to spot. Which doesn’t mean it’s easy to spot

the real worrisome stuff comes from state actors who know what they're doing and have captured the entire ecosystem to prevent it from being discovered until it doesn't matter any more. eg stuxnet, prism, etc.

[–] PhilipTheBucket@piefed.social 6 points 1 month ago (1 children)

Yeah, exactly. If you read the Snowden leaks to learn the details of what some of their actual capabilities are (smuggling flawed keys into the DH exchange for most major web browsers for example), it makes this stuff look like kids in their basements fucking around.

[–] eldavi@lemmy.ml 4 points 1 month ago (1 children)

i can't read them, they frighten me. lol

[–] pmk@lemmy.sdf.org 4 points 1 month ago (1 children)

How about these words: "Reflections on Trusting Trust".

[–] eldavi@lemmy.ml 1 points 1 month ago

i forgot that this was a thing and i think it's sure fire sign that i've left the developer fold. lol