Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think so. It’s that third step that I can’t figure out. Build systems are configured to pull the latest version of a dep automatically, without review, and then publish. It seems the poorly configured pipelines are what enable these attacks. Fix your pipelines


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: