When will we learn?

138 · Drew DeVault · May 12, 2022, 9:46 a.m.
Congratulations to Rust for its first (but not its last) supply-chain attack this week! They join a growing club of broken-by-design package managers which publish packages uploaded by vendors directly, with no review step, and ship those packages directly to users with no further scrutiny. Timeline of major incidents on npm/Crates/PyPI/etc 2022-05-10: Cargo: rustdecimal ships with malicious code 2022-05-09: npm: foreach is taken over via an expired email domain 2022-03-17: npm: node-ipc ships ...