|
|
|
|
|
|
by mschuster91
428 days ago
|
|
|
> Previously only the packed JavaScript code had been modified. Honestly it's time for the npm ecosystem to move to a model where only build agents running on npm's own infrastructure can upload binary artifacts, or to mandate reproducible builds. And for a select set of highly used packages, someone from NPM should be paid to look over each release's changeset. Both would have massively impeded the attacker. |
|
|