undefined | Better HN

0 pointsGigachad7mo ago0 comments

The problem isn't specific to node. NPM is just the most popular repo so the most value for attacks. The same thing could happen on RubyGems, Cargo, or any of the other package managers.

0 comments

3 comments · 3 top-level

gred7mo ago

NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

9 more replies

vintagedave7mo ago

The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

2 more replies

PunchyHamster7mo ago

Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.

j / k navigate · click thread line to collapse