CommunityNews

CommunityNews

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Ever since I started learning how to code, I have been fascinated by the level of trust we put in a simple command like this one:

pip install package_name

Some programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.

You have probably heard of these tools already — Node has npm and the npm registry, Python’s pip uses PyPI (Python Package Index), and Ruby’s gems can be found on… well, RubyGems.

When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

This thread was posted by one of our members via one of our news source trackers.

Popular Macos topics Top

First poster: bot
The iPhone 12 announcement might be right around the corner. Tech experts predict Apple will reveal this new line of mobile devices durin...
New
First poster: bot
A few weeks ago, we’ve seen Apple announce their newest iPhone 13 series devices, a set of phones being powered by the newest Apple A15 S...
New
First poster: bot
The Apple-Dell deal that could have changed history. It’s been 10 years since the death of Steve Jobs. Michael Dell shares his memories ...
New
First poster: bot
Users with the know-how will be able to order and replace iPhone screens and parts.
New
First poster: bot
About Apple threat notifications and protecting against state-sponsored attacks. Apple threat notifications are designed to inform and a...
New
First poster: Maartz
An Ode to Apple’s Hide My Email. Apple’s Hide My Email feature is one of the most under-rated privacy launches of the past year, and her...
New
First poster: bot
Guide: Run FreeBSD 13.1-RELEASE for ARM64 in QEMU on Apple Silicon Mac (MacBook Pro M1, etc) with HVF acceleration (Hypervisor.framework)...
New
First poster: bot
I am once again asking you to update your Apple devices. Important security updates are just the new normal.
New
First poster: peterchancc
macOS Ventura is now available. macOS Ventura takes the Mac experience to a whole new level with groundbreaking capabilities that help u...
New
First poster: bot
The UK competition watchdog launches a market investigation into cloud gaming and mobile browsers.
New

Other popular topics Top

AstonJ
A thread that every forum needs! Simply post a link to a track on YouTube (or SoundCloud or Vimeo amongst others!) on a separate line an...
New
AstonJ
I have seen the keycaps I want - they are due for a group-buy this week but won’t be delivered until October next year!!! :rofl: The Ser...
New
AstonJ
This looks like a stunning keycap set :orange_heart: A LEGENDARY KEYBOARD LIVES ON When you bought an Apple Macintosh computer in the e...
New
PragmaticBookshelf
“Finding the Boundaries” Hero’s Journey with Noel Rappin @noelrappin Even when you’re ultimately right about what the future ho...
New
Margaret
Hello content creators! Happy new year. What tech topics do you think will be the focus of 2021? My vote for one topic is ethics in tech...
New
Maartz
Hi folks, I don’t know if I saw this here but, here’s a new programming language, called Roc Reminds me a bit of Elm and thus Haskell. ...
New
First poster: joeb
The File System Access API with Origin Private File System. WebKit supports new API that makes it possible for web apps to create, open,...
New
Help
I am trying to crate a game for the Nintendo switch, I wanted to use Java as I am comfortable with that programming language. Can you use...
New
PragmaticBookshelf
Author Spotlight: Bruce Tate @redrapids Programming languages always emerge out of need, and if that’s not always true, they’re defin...
New
New