I’m really surprised this didn’t happen frequently until recently. The xz incident was very high effort compared to this.
NPM is basically anonymous, no vetting, no quality control. And it’s very common to have thousands of NPM packages installed. Nobody is checking all of that.
It’s just bound to happen in the NPM ecosystem.
I’m really surprised this didn’t happen frequently until recently. The xz incident was very high effort compared to this.
NPM is basically anonymous, no vetting, no quality control. And it’s very common to have thousands of NPM packages installed. Nobody is checking all of that.