https://distrowatch.com/dwres.php?resource=showheadline&story=20195>Developers who use the npm repositories should check which repositories they are using and possibly change their security tokens (keys and passwords) after it was discovered over 30 packages have been compromised. https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm>If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately.remember the "npm left-pad incident"? What makes npm supply-chain attacks so common? What about npm makes developers complain about "dependency hell"?
>>108962427This happens every single day now, it's not news anymore. Don't use npm, go, rust, python.
no ones forcing you to use npm sweaty.just use html and vanilla JS :)
>>108962492>rust, python.ok, i knew npm was malware, but now you're scaring me
one more reason to never use open sores software
>>108962614Rust has the "trusting trust" issue and crates.Python is fine if you don't use pip directly.
npm config set min-release-age 7 --location=userproblem solved
npm config set min-release-age 7 --location=user
>>108962614>>108962658>>108852597
>>108962427just make a local-only app served through github pages and you wont have this problem, sis
>>108962684What if vuln is 5 days old and was patched today? You locked yourself out of security pathes for a full day or so?
>>108963183The fuck did I calculate. I mean vuln is like 9 days old, was patched 6 days ago. So you would have to wait until that patch turns 7 days, until then you have that vuln.I suppose one would have something like a cron job doing npm audit scans and maybe hard patch. But then again, you would have maybe fake vulnerability patches which are actually just malware. LMAO
>>108962427It's funny because no-experience zoomies spent the last few years on /g/ shitposting about how pip and virtualenv were so terrible and npm was superior.Turns out ginger bill was right all along. They are all trash.
>>108963262cpan was alright. And those were mostly cunning hax0rs using it and creating those packages.I don't really hate Indians that much, but... Must say that back then there were not many indians and pakistanis. And North Koreans desu. They were not messing with cpan, so it seems like that was the major difference. People knew how to make money without resorting to what is similar to petty theft. And now poverty rules, no culture or respect, only "git dat mony" in their minds all the time.
>>108963320the past wasn't better, you were just more naive
>>108962427just use oidc and rbac
>>108962427>it looks as though the compromised packages came from a Red Hat employee's accountWhy would you believe that he got compromised?Couldn't it be RedHat itself installing backdoors and malware for their glowfag friends?
>>108962427would developing inside some sort of secure container prevent these?idk if docker is secure enough
