Comment by zar1048576
24 days ago
In case it helps, we open-sourced a tool to audit dependencies for this kind of supply-chain issue. The motivation was that there is a real gap between classic “known vulnerability” scanning and packages whose behavior has simply turned suspicious or malicious. We also use AI to analyze code and dependency changes for more novel or generic malicious behavior that traditional scanners often miss.
Project: https://point-wild.github.io/who-touched-my-packages/
No comments yet
Contribute on Hacker News ↗