Reading through the post it looks like this infects via preinstall?
> The new versions of these packages published to the NPM registry falsely purported to introduce the Bun runtime, adding the script preinstall: node setup_bun.js along with an obfuscated bun_environment.js file.
Very cool, I wish I could see more of the data without giving up my name + email. A lot of the time i'm hesitant with that because you input it then are continually asked more data
Definitely! A lot of this falls under the "reachability" umbrella. It's just a little harder to say if something is actually used vs just installed. For example, in your app you could exec a script which can be harder for tools to detect with accuracy and there are just quite a few edge cases to handle
I guess the scanner would need to be provided with runtime data, somehow. I.e. two phases of scanning, before and after deployment. Suddenly it's getting quite complex, especially if you include the security aspects of that scanner running in prod.
I believe the problem comes where there isn't a clear division of ownership between product teams and SREs.
At a previous company, we embedded SREs on teams for a quarter rotation and found that this model worked well. It was nice to give SREs more product team empathy and vice versa
Both are impacted, not sure what percentage they among other subsidiaries make up of the overall number though. It’s not over yet either, notifications are still going out through the end of the week.
This feels like a clickbait title. I don't think that Spotify is in that unique of a position compared to other tech companies that have gone through "hypergrowth" and are now focusing more on profitability.
> The new versions of these packages published to the NPM registry falsely purported to introduce the Bun runtime, adding the script preinstall: node setup_bun.js along with an obfuscated bun_environment.js file.
reply