This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos. Yes, increased automation of cutting-edge vulnerability discovery will shake things up a bit. No, it's nowhere near the top of what should be keeping you awake at night if you're working in infosec.
We've built our existing tech stacks and corporate governance structures for a different era. If you want to credit one specific development for making things dramatically worse, it's cryptocurrencies, not AI. They've turned the cottage industry of malicious hacking into a multi-billion-dollar enterprise that's attractive even to rogue nations such as North Korea. And with this much at stake, they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".
We know how to write software with very few bugs (although we often choose not to). We have no good plan for keeping big enterprises secure in this reality. Autonomous LLM agents will be used by ransomware gangs and similar operations, but they don't need FreeBSD exploit-writing capabilities for that.
show comments
bradley13
Whenever I look at a web project, it starts with "npm install" and literally dozens of libraries get downloaded.
The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.
show comments
ashishb
WordPress was great because of the plugins.
WordPress is now a dangerous ecosystem because of the plugins and their current security model.
FAIR has a very interesting architecture, inspired by atproto, that I think has the potential to mitigate some of the supply-chain attacks we've seen recently.
In FAIR, there's no central package repository. Anyone can run one, like an atproto PDS. Packages have DIDs, routable across all repositories. There are aggregators that provide search, front-ends, etc. And like Bluesky, there are "labelers", separate from repositories and front-ends. So organizations like Socket, etc can label packages with their analysis in a first class way, visible to the whole ecosystem.
So you could set up your installer to ban packages flagged by Socket, or ones that recently published by a new DID, etc. You could run your own labeler with AI security analysis on the packages you care about. A specific community could build their own lint rules and label based on that (like e18e in the npm ecosystem.
Not perfect, but far better than centralized package managers that only get the features their owner decides to pay for.
show comments
toniantunovi
The supply chain attack surface in WordPress plugins has always been particularly dangerous because the ecosystem encourages users to install many small single-purpose plugins from individual developers, most of whom aren't security-focused organizations. Buying out an established plugin with a large install base is a clever approach because you inherit years of user trust that took the original developer a long time to build.
The deeper structural issue is that plugin update notifications function as an implicit trust signal. Users see "update available" and click without questioning whether the author is still the same person. A package signing and transfer transparency system similar to what npm has been working toward would help here, but the WordPress ecosystem has historically moved slowly on security infrastructure.
show comments
ChuckMcM
I don't think companies appreciated just how much they gave up when they outsourced "IT".
ramon156
Same day that I submit my own plug-in :( hopefully doesn't interfere with anything.
meteyor
So how was this attack gonna generate "revenue" for the attacker? What kind of info did they get hold of?
show comments
ValentineC
This somehow reminds me of the irony that was Secure Custom Fields:
I see a future where there are LLM vetted repos for Java, Python, Go, etc... And it will cost $1 to submit a release candidate (even for open source)
edit: The idea is the $1 goes towards the tokens required to scan the source code by an LLM, not simply cost a dollar for no other reason that raising the bar.
First submission is full code scan, incremental releases the scanner focuses on the diffs.
show comments
nullbyte
[flagged]
show comments
EGreg
I used to think that HN is full of enlightened open minded people who are open to correcting misconceptions if presented with new evidence, and adopting better practices.
But I have encountered a lot of groupthink, brigading downvotes etc. So I stopped having high expectations over the years.
In the case of Wordpress plugins, it’s bloody obvious that loading arbitrary PHP code in your site is insecure. And with npm plugins, same thing.
Over the years, I tried to suggest basic things… pin versions; require M of N signatures by auditors on any new versions. Those are table stakes.
How about moving to decentralized networks, removing SSH entirely, having a cryptocurrency that allows paying for resources? Making the substrate completely autonomous and secure by default? All downvoted. Just the words “decentralized” and “token” already make many people do TLDR and downvote. They hate tokens that much, regardless of their necessity to decentralized systems.
So I kind of gave up trying to win any approval, I just build quietly and release things. They have to solve all these problems. These problems are extremely solvable. And if we don’t solve them as an industry, there’s going to be chaos and it’s going to be very bad.
show comments
shevy-java
Well - that kind of shows that WordPress is still popular. :)
realty_geek
Makes me even more bullish about emdash from cloudflare.
This is a perfect illustration of what cracks me up about the hyperbolic reactions to Mythos. Yes, increased automation of cutting-edge vulnerability discovery will shake things up a bit. No, it's nowhere near the top of what should be keeping you awake at night if you're working in infosec.
We've built our existing tech stacks and corporate governance structures for a different era. If you want to credit one specific development for making things dramatically worse, it's cryptocurrencies, not AI. They've turned the cottage industry of malicious hacking into a multi-billion-dollar enterprise that's attractive even to rogue nations such as North Korea. And with this much at stake, they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".
We know how to write software with very few bugs (although we often choose not to). We have no good plan for keeping big enterprises secure in this reality. Autonomous LLM agents will be used by ransomware gangs and similar operations, but they don't need FreeBSD exploit-writing capabilities for that.
Whenever I look at a web project, it starts with "npm install" and literally dozens of libraries get downloaded.
The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.
WordPress was great because of the plugins.
WordPress is now a dangerous ecosystem because of the plugins and their current security model.
I moved to Hugo and encourage others to do so - https://ashishb.net/tech/wordpress-to-hugo/
I really wish that the FAIR package manager project had been successful, but they recently gave up after the WordPress drama died down.
https://fair.pm/
FAIR has a very interesting architecture, inspired by atproto, that I think has the potential to mitigate some of the supply-chain attacks we've seen recently.
In FAIR, there's no central package repository. Anyone can run one, like an atproto PDS. Packages have DIDs, routable across all repositories. There are aggregators that provide search, front-ends, etc. And like Bluesky, there are "labelers", separate from repositories and front-ends. So organizations like Socket, etc can label packages with their analysis in a first class way, visible to the whole ecosystem.
So you could set up your installer to ban packages flagged by Socket, or ones that recently published by a new DID, etc. You could run your own labeler with AI security analysis on the packages you care about. A specific community could build their own lint rules and label based on that (like e18e in the npm ecosystem.
Not perfect, but far better than centralized package managers that only get the features their owner decides to pay for.
The supply chain attack surface in WordPress plugins has always been particularly dangerous because the ecosystem encourages users to install many small single-purpose plugins from individual developers, most of whom aren't security-focused organizations. Buying out an established plugin with a large install base is a clever approach because you inherit years of user trust that took the original developer a long time to build.
The deeper structural issue is that plugin update notifications function as an implicit trust signal. Users see "update available" and click without questioning whether the author is still the same person. A package signing and transfer transparency system similar to what npm has been working toward would help here, but the WordPress ecosystem has historically moved slowly on security infrastructure.
I don't think companies appreciated just how much they gave up when they outsourced "IT".
Same day that I submit my own plug-in :( hopefully doesn't interfere with anything.
So how was this attack gonna generate "revenue" for the attacker? What kind of info did they get hold of?
This somehow reminds me of the irony that was Secure Custom Fields:
https://news.ycombinator.com/item?id=41821336
Was it Automattic again?
I see a future where there are LLM vetted repos for Java, Python, Go, etc... And it will cost $1 to submit a release candidate (even for open source)
edit: The idea is the $1 goes towards the tokens required to scan the source code by an LLM, not simply cost a dollar for no other reason that raising the bar.
First submission is full code scan, incremental releases the scanner focuses on the diffs.
[flagged]
I used to think that HN is full of enlightened open minded people who are open to correcting misconceptions if presented with new evidence, and adopting better practices.
But I have encountered a lot of groupthink, brigading downvotes etc. So I stopped having high expectations over the years.
In the case of Wordpress plugins, it’s bloody obvious that loading arbitrary PHP code in your site is insecure. And with npm plugins, same thing.
Over the years, I tried to suggest basic things… pin versions; require M of N signatures by auditors on any new versions. Those are table stakes.
How about moving to decentralized networks, removing SSH entirely, having a cryptocurrency that allows paying for resources? Making the substrate completely autonomous and secure by default? All downvoted. Just the words “decentralized” and “token” already make many people do TLDR and downvote. They hate tokens that much, regardless of their necessity to decentralized systems.
So I kind of gave up trying to win any approval, I just build quietly and release things. They have to solve all these problems. These problems are extremely solvable. And if we don’t solve them as an industry, there’s going to be chaos and it’s going to be very bad.
Well - that kind of shows that WordPress is still popular. :)
Makes me even more bullish about emdash from cloudflare.
https://github.com/emdash-cms/emdash/discussions/304