Hacker News new | ask | show | jobs
by andrewl-hn 276 days ago
TBF it does happen to other package managers, too. There were similar attacks on PyPI and Rubygems (and maybe others). However, since npm is the largest one and has the most packages released, updated, and downloaded, it became the primary target. Similar to how computer viruses used to target Windows first and foremost due to its popularity.

Also, smaller package managers tend to learn from these attacks on npm, and by the time the malware authors try to use similar types of attacks on them the registries already have mitigations in place.
1 comments
shakna 276 days ago
PyPI is working towards attestation [0], and already has "Trusted Publisher" [1].

Ruby has had signed gems since v2 [2].

These aren't a panacea. But they do mean an effort has been made.

npm has been talking about maybe doing something since 2013 [3], but ended up doing... Nothing. [4]

I don't think it's fair to compare npm to the others.

[0] https://docs.pypi.org/attestations/producing-attestations/

[1] https://docs.pypi.org/trusted-publishers/

[2] https://docs.ruby-lang.org/en/master/Gem/Security.html

[3] https://github.com/npm/npm/pull/4016

[4] https://github.com/node-forward/discussions/issues/29

link
madeofpalk 276 days ago
NPM has both Trusted Publishing and provenance claims for where packages are built.

https://docs.npmjs.com/trusted-publishers

https://docs.npmjs.com/generating-provenance-statements

Trusted Publishing is relatively new - GA-ed in July https://github.blog/changelog/2025-07-31-npm-trusted-publish...

link
otterley 276 days ago
Trusted Publishing is a marketing term—a fancy name for OIDC support and temporary auth token issuance. It delegates authenticating the uploader to their identity provider, nothing more.

In a very real sense, it shifts responsibility to someone else. For example, if the uploader was using Google as their identity provider and their Google account was popped, the attacker would be able to impersonate the uploader. So I wouldn’t describe it as establishing a strong trust relationship with the uploader.

It only meaningfully improves the security of the NPM ecosystem if (a) everyone is forced to sign packages and (b) identity providers require more secure authentication methods with as hardware tokens or passkeys.

link
arianvanp 273 days ago
Trusted publishing helps with tracking down how something got compromised after compromise. It doesn't do anything to protect against compromise except for using time-limited credentials but that only makes the window smaller. It doesn't make compromise impossible
link