Ever since I started learning how to code, I have been fascinated by the level of trust we put in a simple command like this one:
pip install package_nameSome programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.
You have probably heard of these tools already — Node has
npmand the npm registry, Python’spipuses PyPI (Python Package Index), and Ruby’s gems can be found on… well, RubyGems.When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
This thread was posted by one of our members via one of our news source trackers.