Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

Yes, this is a supply chain attack. That’s how Snap works. As far as I know, no one is alleging they actually changed anything, just that they could.


sort by: page size:

It's a supply chain attack.

Is it really a supply chain attack? Were any modules taken control of

This is mind blowing. A supply chain attack that pivots to another supply chain attack. Crazy.

This is perhaps the most novel usage of a supply chain attack I've yet seen.

Why would they do that? Surely it's to their advantage to actually tell the targets of the supply chain attack about it?

What are you basing this on other than speculation?


Or supply chain attack

Could the manufacturer perform this type of "attack" on their own supply chain?

Supply chain attacks?

At a naive level, this sounds like the sort of supply chain attack we've all been taught to fear. Asking seriously: has this build been replicated? is the source different from mainline? if so, what changed and who changed it?

This is NOT a supply chain attack. Solarwinds was a supply chain attack. This is a typosquatting demonstration that happens every one or two years.

This is not a compromised supply chain, but fake packages.

See my earlier comment here https://news.ycombinator.com/item?id=34390100

The fake packages are not part of any supply chain and are quite easy to detect. More serious attack would be rigging an existing widely used OSS package, but this is not what the post is about and its title is somewhat misleading.


Or maybe a supply chain man-in-the-middle attack.

supply chain attacks

Ah, wow. I didn't realize this was a thing, very convenient target for a supply chain attack, then.

I work in this area. This is not a supply chain attack. This is a typosquatting "attack" people keep rediscovering every year or two.

I know, because I wrote an as yet unpublished paper on safely pulling packages from private and public repos.


So they are adding a hidden, targetable supply chain attack vector on purpose?

I can't read the article from here but attacking the supply chain isn't new. It is something that requires constant vigilance.

In 2022 it's a "supply chain attack" if it disrupts downstream users. The faker.js / colors.js changes were also see as a supply chain attack even though the maintainer knowingly made the changes.

E.g. a supply chain attack.
next

Legal | privacy