NPM packages disguised as Roblox API code caught carrying ransomware Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper. The two poisoned libraries – noblox.js-proxy and noblox.js - …
Because the learning curve of Javascript has the lowest barrier of all languages, so contributions will naturally be overly abundant The accessibility of Javascript is uncanny. You can use any web browser to write Javascript using the browser's dev tools, I know of no other language that accessible.
The odd thing about Javascript is that as it evolves it becomes easier to use and more standardized but, strangely people find it more and more difficult to write themselves. And again there, I know of no other language that exhibits this uptake of delusional behavior.
While you might not be in it, Javascript has by far the largest estranged clique of developers that blindly run into walls that are self constructed.
I can therefor create a package called noblox.js.jackpotnow and nobody is going to bat an eyelid until somebody actually wonders why that exists.
Somehow that does not strike me as "anyone can contribute", so much as "anyone can fuck it up".
I've got a feeling that the ease-of-contribution culture is going to get a healthy dose of reality check in the coming years. It's not because it's open source that it has to be a free-for-all. I'm sure developers are going to welcome a bit of verification if it means that their code can be kept from the dregs of the Intarwubs.
After all, what's the real cost of having to sign in to a project before being able to contribute ? It's just a few emails and an identifier for your contributions.
Identifier that can be banned if you screw up, of course.
I'm inclined to agree. I've published game mods myself, and for me that included signing in. And yes, there was a delay while the code was screened before it was published.
But that wasn't Roblox. The target market for that platform is schoolkids. I can believe they view things differently. The question is, whether a slightly higher hurdle would discourage people who might otherwise go on to make valuable contributions. My instincts say probably not, but they also say the publisher probably has better data on that question than I do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
