
Running wasn't the issue
Running the code wasn't issue. Anybody installing the package would have been affected and anybody not using a lock file would have automatically been upgraded to the infected package
An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers' NPM login tokens. The open-source utility eslint-scope was altered by hackers so that, when used to analyze source code, it would copy the contents of the user's ~/.npmrc file to …
This is yet another example of the scumbags winning the battle. Everything has an entry point and sooner or later they’ll exploit it. I can’t see highly secure, let alone fully secure software happening in many years even decades. Way too much sloppiness or human errors to stop it. Until there are laws and large fines and assurance certification for purveyors of software it will just get worse.
And this is why using shitty cloud repositories for javascript libs is fucking stupid, just because your too fucking lazy to load it on your own site.
Sites now need to fetch from 100's of bloody sites due to this type of shit..
at least it gives me a way of easily making a block list of sites not to visit
Um, when your product and repo shows up in the news as a hacker victim more than once a year, maybe it's time to check the habits of your community.
As a gatekeeper, I'm supposed to decide which repos our devs have access to and which don't--and this one is beginning to worry me. And, having tinkered with this one myself, I don't want to have to shut it out completely, but... Oh, this is seriously giving me the willies.
No biggy, but....
... possibly initiating a chain reaction of cyber-crime.
I know what the intended meaning was - I think - but the phrase doesn't communicate it very well. Yeah I know, everyone's a critic,.. I'm just picturing a tabloid hack looking for stories to lift (or background) seeing the expression and getting altogether the wrong idea.