Good writeup. I think the basic issue is a lack of static scanning for open source repos. No, it may not have caught this particular thing, but who knows. This was clever. Devious even. Spread out over time to avoid detection. There may be more out there. We need some scanning tools to be able to detect patterns like this if possible, or new conventions to prevent things like this from happening again.
Good writeup. I think the basic issue is a lack of static scanning for open source repos. No, it may not have caught this particular thing, but who knows. This was clever. Devious even. Spread out over time to avoid detection. There may be more out there. We need some scanning tools to be able to detect patterns like this if possible, or new conventions to prevent things like this from happening again.