alt Hacker NewsBut once you can make people download your malicious js code using npm, why would you then need to inject malicious js code in protobuf?
But once you can make people download your malicious js code using npm, why would you then need to inject malicious js code in protobuf?
Well, in this attack, you're using the vulenerable dev to modify their code to run a protobuf schema that's vulnerable; so then it can inject that vulnerability to the client code, and then you're exfilitrating 10's of users (the dev who ran this code isnt very popular).