Comment by kjok
2 months ago
Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR.
2 months ago
Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR.
on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.
MS doesn't care
> on the other hand, the previous supply chain attack was found by automated tech.
Are you sure about this? Would love to see which ones.
The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later.
The dev later said that Charlie notifying him probably shaved off some very important time for the remediation.
So in this case 2 different companies found it using automated tech before anyone else
2 replies →