(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

cddotdotslash ◴[08 Sep 25 17:05 UTC] No.45170804[source]▶

NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.

replies(5): >>45170982 #>>45172458 #>>45172566 #>>45173494 #>>45175539 #

mrguyorama ◴[08 Sep 25 19:06 UTC] No.45172458[source]▶

>>45170804 #

Why would NPM do anything about it? NPM has been a great source of distributing malware for like a decade now, and none of you have stopped using it.

Why in the world would they NEED to stop? It apparently doesn't harm their "business"

replies(1): >>45172797 #

1. pants2 ◴[08 Sep 25 19:30 UTC] No.45172797[source]▶

>>45172458 #

Dozens of businesses have been built to try fixing the npm security problem. There's clearly money in it, even if MS were to charge an access fee for security features.

↑

NPM debug and chalk packages compromised