← Back to context Comment by QuantumNoodle 7 days ago Man, I never hear good security things about npm 7 comments QuantumNoodle Reply Retr0id 7 days ago This doesn't really have anything to do with npm. notabotiswear 7 days ago From the Arch mailing list [0]>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something[0] https://lists.archlinux.org/archives/list/aur-general@lists.... Retr0id 7 days ago They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue. 1 reply → vitamark 7 days ago anything except that it's malware installed via npm Retr0id 6 days ago As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.https://news.ycombinator.com/item?id=48503258 animitronix 7 days ago So true. The JavaScript ecosystem is trash.
Retr0id 7 days ago This doesn't really have anything to do with npm. notabotiswear 7 days ago From the Arch mailing list [0]>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something[0] https://lists.archlinux.org/archives/list/aur-general@lists.... Retr0id 7 days ago They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue. 1 reply → vitamark 7 days ago anything except that it's malware installed via npm Retr0id 6 days ago As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.https://news.ycombinator.com/item?id=48503258
notabotiswear 7 days ago From the Arch mailing list [0]>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something[0] https://lists.archlinux.org/archives/list/aur-general@lists.... Retr0id 7 days ago They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue. 1 reply →
Retr0id 7 days ago They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue. 1 reply →
vitamark 7 days ago anything except that it's malware installed via npm Retr0id 6 days ago As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.https://news.ycombinator.com/item?id=48503258
Retr0id 6 days ago As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.https://news.ycombinator.com/item?id=48503258
This doesn't really have anything to do with npm.
From the Arch mailing list [0]
>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something
[0] https://lists.archlinux.org/archives/list/aur-general@lists....
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
1 reply →
anything except that it's malware installed via npm
As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.
https://news.ycombinator.com/item?id=48503258
So true. The JavaScript ecosystem is trash.