That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.
And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.
This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.
Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.
I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.
Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.
Are many of the packages obfuscated? Seems like here the server url was heavily obfuscated and encrypted, that is a big warning flag is it not. Auto scanning a submitted package and flagging off obfuscated / binary payloads / install scripts for further inspection could help. Am wondering how such packages get automatically promoted for distribution ..
If you have to run it regardless, contain it as good as you could, given the potential impact. If you're not using the same machine for anything else, maybe "good riddance" is the way to go? Otherwise try to sandbox it, understanding the tradeoffs and (still) risks. Easiest for now is just run everything in rootless podman containers (or similar), which is relatively easy. Otherwise VMs, or other machines. All depends on what effort you feel is worth it, so really what it is your are protecting.
Yes, and even more so now that we are vibe coding codebases with piles of random deps that nobody even bothers to look at.
You can mitigate it by fully containerizing your dev env, locking your deps, enabling security scans, and manually updating your deps on a lagging schedule.
Never use npm global deps, pretty much the worst thing you can do in this situation.