I see a future where there are LLM vetted repos for Java, Python, Go, etc... And it will cost $1 to submit a release candidate (even for open source)
post-it2026-04-14 03:20
ENGLISH (원문)
It wouldn't help in this case, since the attacker was willing to pay.
bradley132026-04-14 03:23
ENGLISH (원문)
Whenever I look at a web project, it starts with "npm install" and literally dozens of libraries get downloaded. The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.
meteyor2026-04-14 03:24
ENGLISH (원문)
So how was this attack gonna generate "revenue" for the attacker? What kind of info did they get hold of?
dec0dedab0de2026-04-14 03:26
ENGLISH (원문)
The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks. This is the best reason for letting users install from npm directly instead of bundling dependencies with the project.
nullbyte2026-04-14 03:27
ENGLISH (원문)
That's kinda based ngl
gkoberger2026-04-14 03:27
ENGLISH (원문)
No it's not.
alex11382026-04-14 03:28
ENGLISH (원문)
Why is this comment instantly grey (downvoted)? What is wrong with HN and the people who accrue enough karma (you need 500 to downvote) who go around doing this?
f311a2026-04-14 03:29
ENGLISH (원문)
They inject backlinks, SEO spam to advertise payday loans, pharmacy and so on. Just imagine you can get 30k of links to your website at once. Google will rank that page very high.
gkoberger2026-04-14 03:29
ENGLISH (원문)
They're adding backlinks to other sites. They're either making revenue from those sites, or (more likely) selling backlinks to unsavory products.
댓글
10