CommunityNews

CommunityNews

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Ever since I started learning how to code, I have been fascinated by the level of trust we put in a simple command like this one:

pip install package_name

Some programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.

You have probably heard of these tools already — Node has npm and the npm registry, Python’s pip uses PyPI (Python Package Index), and Ruby’s gems can be found on… well, RubyGems.

When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

This thread was posted by one of our members via one of our news source trackers.

Where Next?

Popular Macos topics Top

First poster: AstonJ
A piece of cloth to clean your Apple devices will cost you $19. Yes, Apple wants you to pay extra for a single cloth.
New
New
First poster: bot
Apple sues NSO Group to curb the abuse of state-sponsored spyware. Apple today filed a lawsuit against NSO Group to hold it accountable ...
New
First poster: bot
The firm’s value more than doubled during the pandemic as people bought more gadgets during lockdowns.
New
First poster: bot
Apple Music has quietly increased the price of its student plan in the United States, Canada and the United Kingdom. In the United States...
New
First poster: bot
Guide: Run FreeBSD 13.1-RELEASE for ARM64 in QEMU on Apple Silicon Mac (MacBook Pro M1, etc) with HVF acceleration (Hypervisor.framework)...
New
First poster: bot
Users of some models of iPhone, iPad and Mac are being urged to run “important” security update.
New
First poster: bot
Apple refuses to cooperate with U.S. government agency seeking information on its funding of, and influence over, ACT | The App(le) Assoc...
New
First poster: bot
Apple Says iPhone Usage Data Is Anonymous. New Tests Say: Not True. Your iPhone’s analytics data includes an ID number tied to your name...
New
First poster: bot
The UK competition watchdog launches a market investigation into cloud gaming and mobile browsers.
New

Other popular topics Top

Devtalk
Reading something? Working on something? Planning something? Changing jobs even!? If you’re up for sharing, please let us know what you’...
1023 17214 380
New
AstonJ
What chair do you have while working… and why? Is there a ‘best’ type of chair or working position for developers?
New
dasdom
No chair. I have a standing desk. This post was split into a dedicated thread from our thread about chairs :slight_smile:
New
AstonJ
Just done a fresh install of macOS Big Sur and on installing Erlang I am getting: asdf install erlang 23.1.2 Configure failed. checking ...
New
Maartz
Hi folks, I don’t know if I saw this here but, here’s a new programming language, called Roc Reminds me a bit of Elm and thus Haskell. ...
New
mafinar
This is going to be a long an frequently posted thread. While talking to a friend of mine who has taken data structure and algorithm cou...
New
PragmaticBookshelf
Author Spotlight Rebecca Skinner @RebeccaSkinner Welcome to our latest author spotlight, where we sit down with Rebecca Skinner, auth...
New
DevotionGeo
I have always used antique keyboards like Cherry MX 1800 or Cherry MX 8100 and almost always have modified the switches in some way, like...
New
AstonJ
This is a very quick guide, you just need to: Download LM Studio: https://lmstudio.ai/ Click on search Type DeepSeek, then select the o...
New
Fl4m3Ph03n1x
Background Lately I am in a quest to find a good quality TTS ai generation tool to run locally in order to create audio for some videos I...
New