Axios npm package compromised in supply-chain attack. How will developers using Linux respond?

OrangePeeler:

I think you are overly generalizing the Linux user base by saying “we”, especially by saying “invulnerable “ and “untouchable” because if you truly have that mindset when using any device no matter if it’s Linux, Windows, iOS, Android, etc., you’re creating a false sense of security for yourself. We are in the age of zero trust and there are some things we just can not prevent because of the human factor.

The use of “we”, “invulnerable” and “untouchable” was hyperbolic. The sense remains in that a significant portion of Linux users I have spoken to have expressed that they are “safer from malware”, and I think my experience has been reflective of the Linux community as a whole.

OrangePeeler:

The axios compromise is something that we can’t directly plan for due to the nature of supply chain attacks. This isn’t exactly a zero-day since it was pushed upstream by a trusted user’s account, but in cases like this can an anti malware solution even help?

Microsoft has implemented a response with Microsoft Defender. As far as I understand, this means that all computers running Windows will alert the user of the breach and attempt automated mitigation. And as far as I know, the desktop Linux user will not be alerted by their system. So yes, it would help the user know they’re infected.

OrangePeeler:

In my opinion, things like sandboxing your development environment or pinning your dependencies go a long way in mitigating risks like this. Supply chain attacks aren’t a new thing, but they are becoming more common. Instead of using an anti malware solution we should start adapting our workflows to mitigate the risks of such attacks.

This is does not address the root of the issue. There is no perfect workflow that will prevent all attacks. System security is not perfect and it will never be. Just as you said, there are things you can not prevent because of the human factor. So we need a way to know if security has been breached, because it’s inevitable.