alt Hacker NewsTheir previous release would be easily caught by static analysis. PTH is a novel technique.
Run all your new dependencies through static analysis and don't install the latest versions.
I implemented static analysis for Python that detects close to 90% of such injections.
Replies
samsk • today at 2:56 PM
Interesting tool, will definitely try - just curious, is there a tool (hexora checker) that ensures that hexora itself and its dependencies are not compromised ? And of course if there is one, I'll need another one for the hexora checker....
➕ show 2 replies
And easily bypassed by an attacker who knows about your static analysis tool who can iterate on their exploit until it no longer gets flagged.