Birsan soon realized, should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead -- without needing any action from the developer. In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located. There we go, ez fix But still, he reported to SO many companies and only 130K... He could have done anything
I agree. Also strange that packages are identified by name and not some other (harder to spoof) identifier. It looks like supply chain attacks will be popular this year.
