[thombles]

I think if somebody wants to see library distribution channels tightened up they need to be very specific about what they would like to see changed and why it would be better, since it would appear that the status quo is serving what people actually want - being able to create and upload packages and update them when you want.

> But right now there are still no signed dependencies and nothing stopping people using AI agents, or just plain old scripts, from creating thousands of junk or namesquatting repositories.

This is as close as we get in this particular piece. So what's the alternative here exactly - do we want uploaders to sign up with Microsoft accounts? Some sort of developer vetting process? A curated lib store? I'm sure everybody will be thrilled if Microsoft does that to the JS ecosystem. (/s) I'm not seeing a great deal of difference between having someone's NPM creds and having someone's signing key. Let's make things better but let's also be precise, please.

[cube00]

> But right now there are still no signed dependencies

Considering these attacks are stealing API tokens by running code on developer's machines; I don't see how signing helps, attackers will just steal the private keys and sign their malware with those.

[deevus]

Could they detect code running from a new IP address or location and ask for a 2FA code?

[cube00]

postinstall is running on the developer's machine, from an endpoint security perspective, it's the actual developer performing the malicious actions, their machine, their IP address and their location.

[deevus]

That's a good point. Thanks

[izacus]

What are you talking about, NPM keeps having issues that "status quo" of other platforms doesn't.

[thombles]

Crates.io had a major phishing campaign just the other day, but no major hacks yet as far as I know. Is that because they do something special that NPM has failed to do? Or is it just that NPM is a big and juicy target?

[lukan]

We treat code repositories as public infrastructure, but we don't want to pay for it, so corporations run them, with their profit interest in mind. This is the fundamental conflict, that I see. And one solution, more non profits as organisations behind them.