(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.266s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

cddotdotslash ◴[08 Sep 25 17:05 UTC] No.45170804[source]▶

NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.

replies(5): >>45170982 #>>45172458 #>>45172566 #>>45173494 #>>45175539 #

PokestarFan ◴[08 Sep 25 17:18 UTC] No.45170982[source]▶

>>45170804 #

NPM is owned by GitHub and therefore Microsoft, who is too busy putting in Copilot into apps that have 0 reason to have any form of generative AI in them

replies(5): >>45172925 #>>45172926 #>>45173133 #>>45175660 #>>45179454 #

wutbrodo ◴[08 Sep 25 19:56 UTC] No.45173133[source]▶

>>45170982 #

It's not like NPM pre-Microsoft was a paragon of professional management or engineering...

replies(2): >>45174132 #>>45176182 #

1. Maxious ◴[09 Sep 25 01:05 UTC] No.45176182[source]▶

>>45173133 #

For those who have forgotten, Microsoft buying npm was basically a community service given npm inc was on the brink of collapsing

https://www.businessinsider.com/npm-ceo-bryan-bogensberger-r...

https://www.businessinsider.com/npm-cofounder-laurie-voss-re...

↑

NPM debug and chalk packages compromised