I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".
Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.
> Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.
I don’t doubt it. How often do you think people really audit their dependencies?
And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.
500,000 out of 7M projects is a pretty hard to believe figure. Staggeringly high percentage if true.
it shouldn't be hard to believe when the attacker aims to infect as many as possible, no?
I think they're counting every dependency. For example they mention a backdoored log4j version: but every project pulling that one log4j version is counted as "malicious".
Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.
> Still 500 K out of 7M that'd be using a malicious package would still be staggeringly high.
I don’t doubt it. How often do you think people really audit their dependencies?
And with the sophistication demonstrated in that xz attack, it’d probably be hard for the average dev to tell if a package is malicious even if they did.
which is the right approach, imo. The authors of a package are also responsible for which dependencies they depend on.