To whom it may concern:
2 Likes
Geez chalk is there.
This was bound to happen.. and probably has been happening, just not yet at this scale.
CDNs are also a huuge attack vector.
It’s all a giant house of cards.
As soon as there is an economic incentive to game a trust based system, it will be exploited, either maliciously.. or ultimately by the resource owner themselves.
The first canary in the coalmine: SourceForge has begun hijacking popular software from their download lists - Consider IT
Replace sourceforce with your favorite cdn.. (initially by malicious actors, and eventually by the companies themselves as they struggle to generate revenue from a “free” service.)
We’ve been warned about this stuff for decades now.
Why does npm as a middleman even need to exist? So I can type “three” instead of the actual URL to the repo?
I wish I had an answer. I guess.. download libraries from the source, and like.. actually inspect the code? idk. Everything sucks.
1 Like