Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> supply chain attacks

You all really need to stop using this term when it comes to OSS. Supply chain implies a relationship, none of these companies or developers have a relationship with the creators other than including their packages.

Call it something like "free code attacks" or "hobbyist code attacks."



“code I picked up off the side of the road”

“code I somehow took a dependency on when copying bits of someone’s package.json file”

“code which showed up in my lock file and I still don’t know how it got there”


All of which is true for far too many projects


I know CrowdStrike have a pretty bad reputation but calling them hobbyists is a bit rude.


I'm sure no offense was intended to hobbyists, but it was indeed rude


A supply chain can have hobbyists, there's no particular definition that says everyone involved must be a professional registered business.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: