On Sat, Nov 26, 2022 at 02:44:51PM -0000, Curt wrote: > On 2022-11-25, <to...@tuxteam.de> <to...@tuxteam.de> wrote: > > > > If you care about your results, better find ways of, well, > > auditing your code. > > > > Are you aware of this? > > https://github.com/advisories/GHSA-97m3-w2cp-4xx6
I don't follow those node messups very closely. But they seem to be pretty frequent (some of them even quite spectacular, like the event-stream case): https://lwn.net/Articles/773121/ This case is particularly beautiful, because: * it was a legit package which was orphaned by the original author and taken over by a volunteer "nice enough" to take on the burden (harr, harr) * the malicious change was targeted at exactly one application (Copay). It deployed itself only when "building" that app (surprisingly, you kinda "compile" javascript applications these days: go figure). So it harks back nicely to Ken Thompson's classic "Trusting Trust" article (already mentioned in this thread) As far as I remember the LWN article linked to above, it got caught before stealing any bitcoin, but just by a slim margin. Worth a read. Cheers -- t
signature.asc
Description: PGP signature
