[raesene9]

Earlier post (https://news.ycombinator.com/item?id=29111279).

The thing that should be causing concern is not so much these very loud obvious attacks, but how many better attacks that are harder to detect, are currently happening.

With 1.7M packages and an ecosystem that favours lots of 3rd party package usage, NPM is a large target. Whilst NPM isn't the only repository to have this kind of issue, it's definitely the largest attack surface.