diff --git a/_posts/2025-06-07-package-managers.md b/_posts/2025-06-07-package-managers.md index 14335c1..35d473a 100644 --- a/_posts/2025-06-07-package-managers.md +++ b/_posts/2025-06-07-package-managers.md @@ -26,8 +26,8 @@ without revision, most individuals would say that that it isn't okay. When the same question arises about whether it's okay for millions of lines of code by hundreds or even thousands of developers from around the globe to introduce changes to a codebase, most companies shrug and say that they use Static -Application Security Testing (SAST) - but we all know this doesn't address the -issue, otherwise supply chain attacks would not be nearly as common. +Application Security Testing (SAST) and monitor - but we all know this doesn't +address the issue, otherwise supply chain attacks would not be nearly as common. ## SAST and Spiderman @@ -68,6 +68,11 @@ this year so far: * June 5 2025: "One collection of PyPI packages is designed to "monkey patch" Solana key-generation methods by modifying relevant functions at runtime without making any changes to the original source code." [ref](https://web.archive.org/web/20250605205948/https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html) +So next time when installing a package, consider what is being installed. The +issue is that it's usually not just the top level dependency that will end up +being installed - there are often many sub-dependencies, and package managers +like npm will run the installation lifecycle scripts of each one. + ## Who Wrote The Code? Package managers are open ecosystems with contributors from all over the world, @@ -109,7 +114,8 @@ installation and during runtime resulting in complete compromise. * Not reviewing every line of code manually will inevitably lead to compromise given a long enough time horizon. -* SAST is a feel good measure that is not sufficient for ensuring code security. +* SAST/monitoring is a partial measure that is not sufficient for ensuring +code security. * If it can be done with the standard language library, avoid adding dependencies.