Hacker News new | ask | show | jobs
by QuantumNoodle 4 days ago
Man, I never hear good security things about npm
2 comments
Retr0id 4 days ago
This doesn't really have anything to do with npm.
link
notabotiswear 4 days ago
From the Arch mailing list [0]

>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something

[0] https://lists.archlinux.org/archives/list/aur-general@lists....

link
Retr0id 4 days ago
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
link
notabotiswear 4 days ago
Perhaps there were other vectors, but npm was the one used here.

And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.

link
vitamark 4 days ago
anything except that it's malware installed via npm
link
Retr0id 4 days ago
As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.

https://news.ycombinator.com/item?id=48503258

link
animitronix 4 days ago
So true. The JavaScript ecosystem is trash.
link