this post was submitted on 16 May 2026
192 points (97.5% liked)

Programming

26958 readers
1287 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
192
‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens (kevinpatel.xyz)
submitted 21 hours ago by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev
39 comments fedilink hide all child comments
 

SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.

“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”

you are viewing a single comment's thread
view the rest of the comments
[–] SorteKanin@feddit.dk 18 points 19 hours ago (4 children)

Doesn't lots of package managers have the exact same problems?

[–] BrianTheeBiscuiteer@lemmy.world 28 points 15 hours ago

It "regularly happens" in NPM because it has one of the biggest attack surfaces. You think hackers are spending a meaningful amount of time taking over abandoned Lua projects?

[–] HaraldvonBlauzahn@feddit.org 1 points 9 hours ago

I dunno. I use Debian, Arch, and Guix on top mostly for development, and these fit my needs very well.

[–] moonpiedumplings@programming.dev 18 points 19 hours ago (3 children)

Not linux distro package managers.

[–] 5ymm3trY@discuss.tchncs.de 4 points 7 hours ago

Things like the AUR in Arch Linux are also susceptible to this. About a year ago there were malicious versions of popular browsers e.g. firefox-patch-bin or librewolf-fix-bin in the AUR. As others have said, NPM has a huge attack surface because it is practically used by everyone which is probably why it is targeted a lot more.

[–] mabeledo@lemmy.world 2 points 8 hours ago

Because distro packages rely on a small group of trusted maintainers, while anyone can publish anything to the NPM registry.

Also, distro packages are usually full fledged applications or libraries, which require a certain number of developers upstream to maintain them. There are thousands of NPM packages out there that are essentially walking corpses waiting to be infected.

[–] Piatro@programming.dev 3 points 11 hours ago (2 children)

One of these days I should really look at the specific differences that means Linux packages rarely experience this while npm it happens seemingly once a month.

[–] iglou@programming.dev 5 points 10 hours ago

Typically people only have trustworthy repositories configured. The amount of people with access to deploy on those is low. Less keys, less chance of someone stealing one.

Plus, let's be honest, people deploying linux packages are probably much more security-conscious than people deploying a random but useful javascript lib on npm.

[–] MonkderVierte@lemmy.zip 2 points 8 hours ago

Chain of trust for one.

[–] marlowe221@lemmy.world 6 points 17 hours ago

Yes, a lot of programming language package managers do have similar problems as npm.