Isn't this the biggest security flaw in the package ecosystem ever?
They don't even know when, if, who and when this was exploited, but maybe I didn't pay enough detail attention to the few paragraphs devoted to the real problem.
So shoudn't we assume all NPM packages published prior to 2nd of November are compromised?
They don't even know when, if, who and when this was exploited, but maybe I didn't pay enough detail attention to the few paragraphs devoted to the real problem.
So shoudn't we assume all NPM packages published prior to 2nd of November are compromised?
And if so, shouldn't this deserve a CVE? (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exp...)