Do we know yet why this has happened? With xz it was supposed to be a state actor because of the tons of resources that were used to implement this and likely it had a single, unidentifiable target (maybe a government agency, who knows). Or maybe it is microsoft trying to keep open source OSs in check?
I’m really surprised this didn’t happen frequently until recently. The xz incident was very high effort compared to this.
NPM is basically anonymous, no vetting, no quality control. And it’s very common to have thousands of NPM packages installed. Nobody is checking all of that.
Do we know yet why this has happened? With xz it was supposed to be a state actor because of the tons of resources that were used to implement this and likely it had a single, unidentifiable target (maybe a government agency, who knows). Or maybe it is microsoft trying to keep open source OSs in check?
It’s just bound to happen in the NPM ecosystem.
I’m really surprised this didn’t happen frequently until recently. The xz incident was very high effort compared to this.
NPM is basically anonymous, no vetting, no quality control. And it’s very common to have thousands of NPM packages installed. Nobody is checking all of that.