Comment by pocksuppet
2 hours ago
What's the meaningful distinction between those two things? You imported axios, you got pwned. Same result either way.
2 hours ago
What's the meaningful distinction between those two things? You imported axios, you got pwned. Same result either way.
Because the way npm works means that as soon as a developer key got stolen, a lot of people got pwned. The key is the only barrier.
Compare that with the average distro. You would have to compromise the developer infrastructure (repo or website) and publish a new version without them being aware while notifying the maintainer that’s its ok to merge the new package script in the distro repo. Hard to pull off in high profile projects.