The usual definition of "supply chain" is all the places where you get your code -- whether a contractual relationship exists, as in, say, the SolarWinds attack, or not, as in the current xz attack or the case described below. And consequences for the victims are the same either way, so focusing on having legal paperwork is a distraction, not a defense
https://www.reversinglabs.com/blog/more-malicious-npm-packages-found-in-wake-of-jumpcloud-supply-chain-hack
Robert Thau /
npub1aq…swx2c
2024-03-31 03:33:21
in reply to nevent1q…ng3m
Author Public Key
npub1aqm4uvw4ykm4htykew4rcr4cd5y2q44gx5q6mqh2n87v3g4sgpvsnswx2cPublished at
2024-03-31 03:33:21Event JSON
{
"id": "535f3858a8ff8947bb94b12b4142ac72a6bac97b51848ff77f202d0c9f0ec24c",
"pubkey": "e8375e31d525b75bac96cbaa3c0eb86d08a056a83501ad82ea99fcc8a2b04059",
"created_at": 1711848801,
"kind": 1,
"tags": [
[
"p",
"d33ea30716562b9255e89766f4d1cf37324284944679d57a3eed9775876dc606"
],
[
"p",
"e8375e31d525b75bac96cbaa3c0eb86d08a056a83501ad82ea99fcc8a2b04059"
],
[
"p",
"269bf643b055ada34b723a876521bd3fc6b6d8357bd4952047d0004e3778a716"
],
[
"e",
"6da8185128c750c2f3f64cd5793424336941ec59d9de6397027096689c3d9681",
"",
"root"
],
[
"p",
"b832cfc8b7c5ac07ae2f27717f806fd07093f599638aca5cfd1e7363444a252b"
],
[
"e",
"04b6e057d9bae74c4882991832d325f12909d57c5c40dc3d2e686d13fd74a796",
"",
"reply"
],
[
"proxy",
"https://mastodon.social/users/rst/statuses/112187723039443677",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/rst/statuses/112187723039443677",
"pink.momostr"
]
],
"content": "The usual definition of \"supply chain\" is all the places where you get your code -- whether a contractual relationship exists, as in, say, the SolarWinds attack, or not, as in the current xz attack or the case described below. And consequences for the victims are the same either way, so focusing on having legal paperwork is a distraction, not a defense\n\n https://www.reversinglabs.com/blog/more-malicious-npm-packages-found-in-wake-of-jumpcloud-supply-chain-hack",
"sig": "623f1ff6c5422a189526b8c42ada6065029d9adf6749013d09d26c76348404bbca4e583fa219c4a66515be218e66dc349bebfc493a501eff6eb613f01745c1f4"
}