The perils of using remote scripts

The BBC ran an article on the recent BA hack. The thing that stands out for me is the following:

“Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack.” (https://www.bbc.co.uk/news/technology-45481976)

I’ve argued against this in the past but to no avail. And it’s everywhere now. Designers use code located in any old place in order to make their websites work. I’ve even seen it inside commercial CMS systems where, when PHP versions come out with functions deprecated the software vendor has a major task in finding or writing new libraries because the Internet sourced one they use is no longer being updated. I have also seen font libraries used where the usage exceeds the agreement and the download then fails, sometimes causing a delay in the poor user’s browser. Browse to just about any commercial website now and take a look at the connections your system is making and to where, these often to download a font or a Javascript library to do some jazzy function.

Remember the news when some Javascript library included a bitcoin mining script?

And heaven forbid programmers won’t simply take bits of code from Internet sources and glue it all together to create a new app. I mean, that would just be asking for trouble, right?

Basically, we’re doomed…