What We Know About The xz Utils Backdoor That Almost Infected The World
- Dan Goodin tl;dr: “A lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.”featured in #503
The Massive Bug At The Heart Of The NPM Ecosystem
- Darcy Clarke tl;dr: A npm package's manifest is published independently from its tarball. Manifests are never fully validated against the tarball's contents. The ecosystem has broadly assumed the contents of the manifest & tarball are consistant. Any tools or insights using the public registry are succeptible to exploitation/likely inaccurate. Bad actors can hide malware & scripts in direct or transitive dependencies that go undetected.featured in #428