[losingthefight]

Not OP but maybe he is referring to the big in which the npm upgrade bumped to a non-ready version and caused havoc on production systems by overwriting permissions and files: https://github.com/npm/npm/issues/19883

That was the end of February, so not sure but that may be it.

[jjeaff]

There was also the issue where npm filter bots accidentally expelled some large, legitimate users and then made the namespace available, thus allowing random people to take the packages over, and inject code into any applications that used those projects.

[erichurkman]

This is one of the scariest aspects to modern development. Thousands of applications are one bad actor away from ruin. We're incredibly vulnerable. Chrome extension gone rogue? Package repository allowed duplicate packages? A contributor's GitHub key was hijacked?

Imagine uBlock Origin's Chrome extension author creds were hacked. "He" publishes a new version of the Chrome extension that monitors coinbase.com and fakes the transfer/confirmation screen, or submits transfers in the background. The extension has "write" access on all sites, so the rogue extension can also monitor your Gmail and silently inject a filter that routes trade confirmations to trash.

Or the "requests" library in Python gets an update to replicate 2FA codes via Twilio to a 3rd party.

Sure, you can do pinning and cryptographic signatures to verify that v 1.0.0 of X is really what you expected.

But who audited 1.0.0 of X in the first place...?

[xab9]

My thoughts exactly.

We are one step away from very bad shit hitting the fan in a very painful way... so let's pretend everything's fine and try not to think about these things.

[nkuttler]

When a production system pulls "latest" of anything, such things are bound to happen. There probably is no reliable testing or QA either when deployment methods are not deterministic.