- cross-posted to:
- webdev@programming.dev
- cross-posted to:
- webdev@programming.dev
cross-posted from: https://lemmy.bestiver.se/post/758000
You must log in or # to comment.
“No Way To Prevent This” Says Only Package Manager Where This Regularly Happens*
*
This is a joke about gun violence.
Real question? Is it really isolated to npm or is there a few lessons others could take and discover their own vulnerabilities?
It happens in python pip too.
Arch checking in. It may happen less. But it still does.
To be fair to Arch, the AUR was always advertised as a caveat emptor type thing. It never really claimed to be secure in the first place.
That is fair.
deleted by creator
Thought this was a reference to the hardcore band for a second… seeing them next month for the first time. I’m pumped! Sucks the malware is back
It’s surely a reference to the Dune novels.
Yup
I avoid NPM like the plague.
I feel like I’m better off for it.
That is pretty evil.
Without signing attestation (both developer and code) there will be no way to find out who was responsible and stop the propagation. This will happen again.
Edit: there have been attempts like https://docs.npmjs.com/trusted-publishers, but that hasn’t fixed the problem.
