|
|
|
|
|
|
by woodruffw
495 days ago
|
|
|
I think these types of articles should be prefaced with numbers, namely: how many downloads did the package have? How many confirmed installs were there? And so forth. Given that language package managers are intentionally open to the public, "someone uploaded malware to NPM" is not itself an interesting story. What would be interesting is whether a particular typosquatting campaign was effective, given that most appear to be caught before download counts leave "background noise" levels. Or as another framing: malware on an unrestricted index does not matter if nobody actually downloads it. What matters (and is interesting) is when the attacker manages to get nontrivial numbers of downloads to their package. |
|
|