The npm supply chain attacks (or any similar ones) are essentially the same issue described in the article. You can't trust 3rd-party provided code implicitly. Even if the code is initially fine it's subject to change in later revisions. This issue goes all the way down the stack. Obviously, with a large user base the likelihood of quick detection goes up, but the issue never goes away.
> You can't trust 3rd-party provided code implicitly.
But that is what (almost) all of us do.
There is debate about this the rust world, where there are mitigations that very few even aware of
Mostly rusticans block their ears, close their eyes, and pretend everything will be just peachy
Until some ordinary developer develops a crypto wallet in Rust, honestly, that steals money for a third party this will not be addressed. Even then...
This is a big problem and we need to make everybody aware that they can protect themselves, and make them Liable for not taking those steps, before that happens
What exactly are you talking about? Interested to learn more.
Almost every developer outside the defense and aerospace sector is just stuffing code from internet randos into their binaries, JARs, and wheels. Just after they run this code on their developer machine that they keep their SSH keys on. It's a wonder/mystery/miracle we're not all hacked all day every day. The Rust and JS worlds are especially bad because somehow people got it into their heads that more dependencies are better. Why write 5 lines of your own code when you can use a dependency? (This is a real example of a discussion I've had at work)
Ah, I see. True. In my case I am looking forward to setting up a Linux workstation where I will severely limit random access to my system (and $HOME) via various means i.e. Flatpak and others. $HOME/.ssh is definitely first on the list.
But I agree that the out-of-the-box settings really make you wonder how we are not indeed hacked all day every day.