Comment by kjok
2 months ago
> on the other hand, the previous supply chain attack was found by automated tech.
Are you sure about this? Would love to see which ones.
2 months ago
> on the other hand, the previous supply chain attack was found by automated tech.
Are you sure about this? Would love to see which ones.
The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later.
The dev later said that Charlie notifying him probably shaved off some very important time for the remediation.
So in this case 2 different companies found it using automated tech before anyone else
Hi, I'm Charlie from Aikido, as mentioned above. Yes, we detected it automatically, and I alerted Josh to the situation on BSky.
There's no reason why Microsoft/npm can't do what we're doing, or any of the other handful to dozen companies that do similar things to us, to protect the supply chain.