Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into
Yeah and “change ownership” can be subtle, like a compromised account, so there’s no changes to monitor apart from an update (and you expect updates regularly anyway).
I do think the linux philosophy of “do one thing and do it well” can help a lot, especially when paired with restrictive permissions. But when everything and their dog is integrating LLMs, that alone is already becoming harder.
In open source you could inspect every update (and probably some people do), but unless you’re an above average programmer you probably won’t understand everything, let alone catch hidden backdoors. And then there’re supply chain attacks that don’t change the source code but do change the compiled version so good luck checking that out manually each time unless you always build from scratch.
Yeah and “change ownership” can be subtle, like a compromised account, so there’s no changes to monitor apart from an update (and you expect updates regularly anyway).
I do think the linux philosophy of “do one thing and do it well” can help a lot, especially when paired with restrictive permissions. But when everything and their dog is integrating LLMs, that alone is already becoming harder.
In open source you could inspect every update (and probably some people do), but unless you’re an above average programmer you probably won’t understand everything, let alone catch hidden backdoors. And then there’re supply chain attacks that don’t change the source code but do change the compiled version so good luck checking that out manually each time unless you always build from scratch.