Tag: supply-chain

Supply chain risk: more javascript npm shenanigans, OSS governance

Lately I’ve been talking a lot about the supply chain risk. You import some software, and are suddenly importing their business model and practices. Well, we’ve just had another ‘shenanigan’ unveiled. And its got some good drama.¬†https://github.com/dominictarr/event-stream/issues/116 In a nutshell

Tagged with: , ,

Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau

So most of you will have the Slovak ‘NBU’ on your RSS speed-dial, but I found I was a bit behind on my reading of it. As I was catching up, skcsirt-sa-20170909-pypi caught my eye. In a nutshell, its around

Tagged with: , , ,

Software supply chain risk management robots

  It finally happened to you. A developer used ‘import A’. A pulled in B, B pulled in C, D. D pulled in E… and somewhere along that chain evil lurked. Now all your bits are belong to l33t hackerz.

Tagged with: , , ,