Hacker News new | ask | show | jobs
by chrisfosterelli 3081 days ago
Yes I'd be very curious to see a debrief on what the technical cause was. Thanks to the npm team for a quick weekend fix, at any rate!
1 comments
seldo 3081 days ago
We're working on a full post-mortem now. Until then we don't want to give out misleading/partial information.
link
fl00d 3081 days ago
Any update on the post-mortem? How long have the binaries been replaced? Is there evidence that malware was injected into the binaries?

Additionally, you should brush up on your code signing implementations. Had you signed it with a trusted code signing cert, consumers could have verified that you produced the binaries...and not a malicious user. Assuming they didnt have access to the private key material of your code signing key.

link
chrisfosterelli 3077 days ago
Not sure if you saw but they did post this: http://blog.npmjs.org/post/169432444640/npm-operational-inci...
link