Lesson from supply chain attacks: Beware 'dependency confusion' - TechBeacon

After Alex Birsan’s $130,000 bug-bounty haul last week, hundreds of bogus npm packages have popped up out of nowhere. They appear to have been published by copycat researchers—some of whom have less-than-pure intentions.

The moral of the story? Make sure the code you’re importing really is the code you think you’re importing.

And, of course, that means he was running his code on other people’s networks. In this week’s #SecurityBlogwatch at @TechBeaconCom, we get lost: https://t.co/r8SepQEDlY

— @Richi 😷 Jennings (@RiCHi) February 18, 2021