I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously.
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
@mttaggart Gives me the chills. As a solo dev, my entire livelihood is tied to the integrity of my toolchain, and there's only so much I can realistically audit myself.
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
@mttaggart I'm sure vibe coding will make securing the supply chain easier and not harder /s
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
“Taking supply chain security seriously” involves laying off the productivity obsession and allowing programmers to remain calm, focused, and vigilant.
I don't think we're anywhere near that tipping point, unfortunately. Companies and politicians still think we can solve this problem with audits, regulations, and hoop jumping.
I discussed this in another thread earlier today: https://mastodon.sdf.org/@argv_minus_one/116602229559669722
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
@mttaggart @peter that github news seems bad!
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
@mttaggart@infosec.exchange my fear is it's going to lead to more expensive and annoying policies from companies, bothering developers, so that compromised stuff is immediately deployed at company-scale. -
@mttaggart@infosec.exchange my fear is it's going to lead to more expensive and annoying policies from companies, bothering developers, so that compromised stuff is immediately deployed at company-scale.
@bovaz You know, I think the constant compromise of their repositories and credentials is something of a bother in and of itself
-
RE: https://infosec.exchange/@ifin/116605052950779161
I'm really hoping this, and the last few weeks, are a tipping point toward taking supply chain security seriously. Initial access appears to be a compromised VS Code extension.
@mttaggart Not that we know which one and can check our own extensions to make sure we aren't compromised. That would be too much to ask!
