Phylum routinely identifies malware and other software supply chain attacks targeting high-value, critical assets: an organization’s software developers. Most recently, we’ve reported on a flurry of sophisticated attacks targeting JavaScript developers, respawning malware on PyPI, and were the first to identify North Korean state actors publishing malicious packages
  • BB_C@programming.dev
    ·
    10 months ago

    Yay. My first ad-masquerading-as-a-genuine-post experience on Lemmy!

    Thus, we’ve developed a cargo extension that transparently queries the Phylum API for information about a package before it’s allowed to build.

    Only our* malware-like behaviour is blessed. Because it's a feature. And research-based. And security-oriented. And commercial! We told you about it beforehand and sold you the idea.

    * Assuming the malware discovered is not theirs too.

  • Lucky@lemmy.ml
    ·
    10 months ago

    Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages

    • Vorpal@programming.dev
      ·
      10 months ago

      Doesn't really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.