I don't think computer people really realize just how little (relevant) malicious code actually exists on the anyone-can-upload package registries, and folks seem to consistently overestimate the actual threat level here
And no, it's not *just* security folks overestimating the threat level, tons of software developers do it too (and often at the same time overlook the things that are *actually* dangerous)
This also feels like one of those cases of the metaphorical-law-I-forgot-the-name-of, where people perceive an uncommon event as being really common because it's so uncommon that it gets widely reported every time it happens, and therefore skews people's perception of its frequency
@joepie91 confirmation bias + Dunning-Kruger effect?
@joepie91 @nerkles Found this article, with a very generic name "News Paradox" https://www.news5cleveland.com/news-paradox
@joepie91 @nerkles I did not expected this to become relevant within a week: https://pytorch.org/blog/compromised-nightly-dependency/ 😂
@eloy @nerkles Wow. They knew about it and declared it "not a security issue". What the hell.
https://github.com/pypa/pip/issues/8606
fuchsiaaaaaaaaaaaaaaaaa
@joepie91 @nerkles 'Selective reporting' it seems https://rationalwiki.org/wiki/Selective_reporting
@joepie91 @nerkles I'm not sure about news coverage specifically, but I think you're talking about the Bullet Hole Paradox.
It seems to be an example of Survivorship Bias, which is probably the way-more-common name.
https://andycwareing.com/2022/03/08/the-bullet-hole-paradox/
@joepie91 @nerkles Yes, damnit. I remember it being mentioned once in a video from the Universiteit van Nederland and still haven't found it, have been thinking for years about this on occasions 😂 Something something paradox.