"Hundreds of malicious packages [so obscure that almost noone installed them] found on <package registry>" really is the new way for security companies to score some cheap PR, huh
Meanwhile it instills a lot of (unjustified) fear of package registries into a lot of developers, even though the "security issue" essentially boils down to "someone let their dog crap in the community garden" and the attack vector doesn't scale to anything that people actually use
The format of the news articles about these attacks is also always the same:
- "npm has billions of downloads"
- "thousands of malicious packages"
- suspicious lack of detail about how many downloads *these specific packages* had
- "who knows how many projects have been affected" (well, you can literally just look at the download count)
Like, these people have to know exactly what they're doing