The combined features that make npm particularly vulnerable:
1) Update by default. Manually updating your package references is annoying and does lead to other security issues as you don't automatically get latest, but it makes this risk much lower.
2) Code executed on install. Statically-typed languages don't run the code until you use them, and that might not happen on the developer machine at all for first run after upgrade, it might be a lower-priv test-server.
3) Culture of many tiny modules (this is good! It's the natural way to fight NIH! Yay modularity!) means many more points-of-failure for security for this kind of attack.
MS Nuget is also lock-by-default. Latest-by-default should be considered harmful unless the package manager is directly vouching for the veracity and reputability of the packages.
Peter Zeihan was saying the same about the Russian invasion of Ukraine when that started, since Russia and Ukraine export fertilizer precursors... If there were famines they didn't make the news (but they might not regardless).
There's been massive food inflation since the Ukraine war. The petrol protests are starting in Africa and Asia. Like, this isn't headline news but it exists.
I write a horrifying amount of PowersHell and I've always been craving something like that - rather than pwsh reinventing every wheel, just "bash but also with objects".
I like "...lead is responsible for the loss of 824,097,690 IQ points as of 2015" which is something I never hear from the people who are so interested in IQ and who can't stand it that the rest of us aren't.
Ouch. I'm just getting into tinkering with these things - mine is running on a vanilla gaming desktop with a 12gb 3060 and 32gb of ram. Even going above Qwen 9B risks completely locking up the machine.
How is this a change from status quo? Bitcoin has been the currency of crime since soon after its inception. Back when you could mine on a CPU it was the way to monetize stolen compute. It was the way to buy illegal things on the now-pardoned silk road. It was the way to pay off ransomware. It is now the currency of dark influence money.
Using it to pay off a shipping protection racket is prettymuch par for the course.
I think it's different because of the message it sends. Using bitcoin to do generic illegal things is an 'offense' to anyone that wants to stop illegal things. But there's already lots of targets to aim for if somebody wants to enforce the law, the method of payment is kindof a small deal. However, in this case using bitcoin is an offense to the other party in the war -- the US. I think the US has a more obvious target, and is more capable to do something about the "problem" than general law-loving-folk are about illegal activity. At the very least, I'd think it breaks the embargo? And the US really has (historically) cared about that.
1) Update by default. Manually updating your package references is annoying and does lead to other security issues as you don't automatically get latest, but it makes this risk much lower.
2) Code executed on install. Statically-typed languages don't run the code until you use them, and that might not happen on the developer machine at all for first run after upgrade, it might be a lower-priv test-server.
3) Culture of many tiny modules (this is good! It's the natural way to fight NIH! Yay modularity!) means many more points-of-failure for security for this kind of attack.
reply