• just_another_person@lemmy.world
    link
    fedilink
    arrow-up
    59
    arrow-down
    3
    ·
    22 hours ago

    This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.

    GitHub is not compromised, nor sending unintended payloads.

    • ikidd@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      22 hours ago

      Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

      • just_another_person@lemmy.world
        link
        fedilink
        arrow-up
        32
        ·
        edit-2
        22 hours ago

        But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

        These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.