Axios npm package compromised in supply-chain attack. How will developers using Linux respond?

banana: > We think of ourselves so invulnerable and untouchable and yet we don’t even have the mechanisms to verify if we, are in fact, untouched. The attacks happen through trusted channels, and when they happen, it’s likely that we will never even find out they happened. How much longer until the Linux community recognizes that this mode of operation is not viable, especially when Linux becomes a bigger target with its increasing popularity? > > Why do we think of ourselves as “above antimalware”? I think you are overly generalizing the Linux user base by saying “we”, especially by saying “invulnerable “ and “untouchable” because if you truly have that mindset when using any device no matter if it’s Linux, Windows, iOS, Android, etc., you’re creating a false sense of security for yourself. We are in the age of zero trust and there are some things we just can not prevent because of the human factor. The axios compromise is something that we can’t directly plan for due to the nature of supply chain attacks. This isn’t exactly a zero-day since it was pushed upstream by a trusted user’s account, but in cases like this can an anti malware solution even help? In my opinion, things like sandboxing your development environment or pinning your dependencies go a long way in mitigating risks like this. Supply chain attacks aren’t a new thing, but they are becoming more common. Instead of using an anti malware solution we should start adapting our workflows to mitigate the risks of such attacks. Edit: To add, post compromise you are correct in asking what we have to resolve issues afterwards. I do not believe we currently have something like this for Linux.