Comment by swang

25 days ago

Ah yes, only `npm` has ever suffered an attack. Ever.

RubyGems: https://www.sonatype.com/blog/anatomy-of-the-rubygems-rest-c... PyPi: literally the latest attack included publishing malicious packages on PyPi XZ Tools, a part of nearly every Linux distribution nearly merged in code to backdoor SSH: https://www.akamai.com/blog/security-research/critical-linux...

It is just easy pickings to blame npm specifically. Yes, while they do share some part of the blame, no package manager is immune from attack and certainly not ones where the attackers exploited being able to extract out secrets from a developer's environment variables or files. Seems more like developers should be managing their secrets better?

I also find that using the meme that this title snowclones is in bad taste too.

2 comments

swang

Reply
lucketone  25 days ago

XZ attacker spent half a year earning trust, doing real maintenance.

Different order of magnitude effort spent during XZ attack.

skydhash  25 days ago

Security doesn't exist in absolute. It's about relative effort. Exploiting Debian's package management requires quite a bit of effort, NPM, while being funded by Microsoft, only need to have a token stolen. And postinstall scripts were decried as a security risk for a long time