Follow

"Hundreds of malicious packages [so obscure that almost noone installed them] found on <package registry>" really is the new way for security companies to score some cheap PR, huh

· · Web · 1 · 1 · 7

Meanwhile it instills a lot of (unjustified) fear of package registries into a lot of developers, even though the "security issue" essentially boils down to "someone let their dog crap in the community garden" and the attack vector doesn't scale to anything that people actually use

Okay I think that's enough grumbling for tonight

The format of the news articles about these attacks is also always the same:
- "npm has billions of downloads"
- "thousands of malicious packages"
- suspicious lack of detail about how many downloads *these specific packages* had
- "who knows how many projects have been affected" (well, you can literally just look at the download count)

Like, these people have to know exactly what they're doing

@joepie91 The security of the implied alternative, namely "copy and paste from random gists and stackoverflow answers," never seems to be discussed in such PR. Funny, that.

@joepie91 yeh because package registries are fundamentally less secure than having a million websites you have to go to to get all of your software, any one of which could be compromised, and users definitely have every package in tge registry installed at all times

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.