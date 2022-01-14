Misguided Security Theatre
Attack on German companies through NPM packages [Ed: Microsoft is transmitting malware again, but guess who the media will blame (perpetrators and victims, not the carrier)]
A new portion of malicious NPM packages created for targeted attacks on the German companies Bertelsmann, Bosch, Stihl and DB Schenker have been uncovered. The attack uses the dependency mixing method, which manipulates the intersection of dependency names in public and internal repositories. In publicly available applications, attackers find traces of accessing internal NPM packages downloaded from corporate repositories, whereupon they place packages with the same names and newer version numbers in the public NPM repository. If, when building, internal libraries are not explicitly linked in the settings to their repository, the npm package manager considers the public repository to be a higher priority and downloads the package prepared by the attacker.
Linux, OpenSSF Champion Plan to Improve Open Source Security [Ed: Look what companies are in this thing. They relay everyone's data to the NSA. That itself is a data breach.]
Open Source Leaders Push WH for Security Action [Ed: Microsoft is not "Open Source Leader"]
The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB on Thursday to reach a consensus on key actions to take to improve the resiliency and security of open-source software.
White House joins OpenSSF and the Linux Foundation in securing open-source software [Ed: Steven Vaughan-Nichols is paid to have become a corporate writer for corporate front group, with his occasional defamation against the community]
The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II [Ed: Linux Foundation quotes Jim Zemlin on security like Zemlin is a technical person. He is not. Charade, theatre, kakistocracy for FUD. If you are a Linux user, Linux Foundation does not represent you. If you are a Microsoft fan, then maybe Linux Foundation does speak for you.]
How much will it cost to secure open-source software? OpenSSF says $147.9M | VentureBeat [Ed: Linux Foundation is a source of FUD against Linux. Well, look who controls the organisation. This report cites Microsoft proxies as "sources" regarding "Open Source" security...]
In recent years there have been multiple vulnerabilities in open-source software that have been exploited, leaving organizations of all sizes at risk.
