InfoSec - Supply chain attacks

Example and defenses

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

• xzutils example
• other attempts
• ways to defend your project

https://luj.fr/blog/how-nixos-could-have-detected-xz.html

• xz example and how it affected Nixpkgs bootstrap
• countermeasures

Package repository security

https://repos.openssf.org/principles-for-package-repository-security.html

Tools

https://guac.sh/why-guac/

Examples

Go - Typosquatting + persistent module cache

https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence