The node package model is horrible. Trivial functions would be better just copied at the start of the project. Letting all these code dependencies dynamically mutate is terrifying, and like building a house on wet sand.
This typosquatting attack on npm went undetected for 2 weeks
A two-week-old campaign to steal developers' credentials using malicious code distributed through npm, the Node.js package management registry, has been halted with the removal of 39 malicious npm packages. Developers regularly add these bundles of JavaScript code to Node.js applications to implement common functions, so they …
COMMENTS
-
Thursday 3rd August 2017 06:48 GMT John Smith 19
Hopefully the account holder is being investigated for this?
So it's like the update systems that Linux distros use, but anyone can contribute to it?
What could possibly go wrong with that?
Obvious question would be did El Reg developers pick up any packages from here?
TBH I've been finding the site a bit slow and flaky for the last few days.