[Shank]

> no malicious actors were involved in yesterday’s incident, and the security of npm users’ accounts and the integrity of these 106 packages were never jeopardized

Maybe not in the incident itself, but the sheer fact that many of the packages were replaced by other people constitutes a jeopardization of applications that depend on NPM. The only reason why some big package didn't get replaced with code that exfiltrated data from production or subtly backdoored it is sheer luck.

[no29]

it's beyond disingenuous and flat out dishonest for npm to say the integrity of the packages was never jeopardized. within minutes there were reports that packages had been replaced with questionable and malicious content.

https://news.ycombinator.com/item?id=16087079

this is probably a good indication of how a much more serious security event would be treated by the organization.. just sayin

[mannykannot]

At the very least, Npm should explain why we can be sure the packages now offered are exactly the same as they were before the incident, if, in fact, it is in a position to make that claim.

[strictnein]

Yeah, I have no idea how they can even pretend to claim that.