A discussion thread exploring why software supply chain attacks have become increasingly frequent, triggered by recent compromises of litellm (PyPI) and axios (npm). Key themes include: the role of the Trivy vulnerability scanner compromise enabling multiple attacks, the cultural shift away from auditing dependencies, the unsustainable growth of transitive dependency chains, OS-level security model inadequacies, maintainer burnout and reduced engagement, and the attractiveness of centralized package registries as targets. Mitigations discussed include vendoring dependencies, using fewer dependencies (noting Go's ecosystem as a positive example), bubblewrap sandboxing, network segmentation, and stricter egress controls.
Sort: