[Sephr]

> who believed that a malicious actor or security breach was to blame

This was a security breach. Their anti-spam system should block repos by freezing the module name and returning blank files, not by deleting the entire module and subsequently allowing anyone to upload new modules. This is leftpad all over again.

Update: Woah, so I was checking out my old NPM namespaces and apparently someone took control over https://www.npmjs.com/package/filesaver.js

[djsumdog]

It's not a "breach" technically. No malicious person caused the packages to be removed by circumventing authentication/authorization systems. It is a security issue though. A bug and serious security issue, yes, but not technically a breach.

[jeremyjh]

A breach didn't cause the issue, but there absolutely was a breach in response to NPM's incompetence. https://news.ycombinator.com/item?id=16087126