Hacker Read

cyberphobe · 2022-11-03 12:43:12

Yes, this is a supply chain attack. That’s how Snap works. As far as I know, no one is alleging they actually changed anything, just that they could.

GoblinSlayer | karma 1313 | avg karma 0.44 · | 2023-09-14 09:11:05

It's a supply chain attack.

sodality2 | karma 3858 | avg karma 3.38 · | 2022-03-17 21:22:26

Is it really a supply chain attack? Were any modules taken control of

seanieb | karma 1103 | avg karma 4.41 · | 2020-12-18 01:35:27+00:00

This is mind blowing. A supply chain attack that pivots to another supply chain attack. Crazy.

ryanisnan | karma 1659 | avg karma 3.69 · | 2023-10-17 11:26:15

This is perhaps the most novel usage of a supply chain attack I've yet seen.

jschwartzi | karma 6010 | avg karma 2.33 · | 2018-10-07 04:47:46

Why would they do that? Surely it's to their advantage to actually tell the targets of the supply chain attack about it?

What are you basing this on other than speculation?

reply

dzikimarian | karma 827 | avg karma 2.14 · | 2023-10-24 13:04:39

Or supply chain attack

rebuilder | karma 3687 | avg karma 2.71 · | 2018-03-20 18:17:17+00:00

Could the manufacturer perform this type of "attack" on their own supply chain?

eurasiantiger | karma 1672 | avg karma 0.78 · | 2022-01-24 01:19:13

Supply chain attacks?

frontiersummit | karma 163 | avg karma 3.62 · | 2022-11-03 12:27:08

At a naive level, this sounds like the sort of supply chain attack we've all been taught to fear. Asking seriously: has this build been replicated? is the source different from mainline? if so, what changed and who changed it?

trishankkarthik | karma 11 | avg karma 0.25 · | 2021-02-10 12:12:45+00:00

This is NOT a supply chain attack. Solarwinds was a supply chain attack. This is a typosquatting demonstration that happens every one or two years.

miohtama | karma 9783 | avg karma 4.13 · | 2023-01-15 09:37:12

This is not a compromised supply chain, but fake packages.

See my earlier comment here https://news.ycombinator.com/item?id=34390100

The fake packages are not part of any supply chain and are quite easy to detect. More serious attack would be rigging an existing widely used OSS package, but this is not what the post is about and its title is somewhat misleading.

reply

losteric | karma 5210 | avg karma 3.91 · | 2018-11-01 05:11:20+00:00

Or maybe a supply chain man-in-the-middle attack.

joshu | karma 14055 | avg karma 3.32 · | 2021-07-23 11:57:53

supply chain attacks

stavros | karma 66636 | avg karma 10.05 · | 2024-06-26 21:07:36

Ah, wow. I didn't realize this was a thing, very convenient target for a supply chain attack, then.

trishankkarthik | karma 11 | avg karma 0.25 · | 2021-02-10 07:56:56

I work in this area. This is not a supply chain attack. This is a typosquatting "attack" people keep rediscovering every year or two.

I know, because I wrote an as yet unpublished paper on safely pulling packages from private and public repos.

reply

user-the-name | karma 902 | avg karma 0.45 · | 2022-02-10 09:52:31

So they are adding a hidden, targetable supply chain attack vector on purpose?

Maxburn | karma 709 | avg karma 1.9 · | 2022-01-25 07:09:40

I can't read the article from here but attacking the supply chain isn't new. It is something that requires constant vigilance.

TAForObvReasons | karma 4197 | avg karma 3.55 · | 2022-03-17 21:27:11

In 2022 it's a "supply chain attack" if it disrupts downstream users. The faker.js / colors.js changes were also see as a supply chain attack even though the maintainer knowingly made the changes.

Arbortheus | karma 453 | avg karma 4.49 · | 2023-02-02 18:11:10

E.g. a supply chain attack.