Conversation

Nov 26, 2018

I think this npm incident falls into the category of "insider threats", which are pretty much every security professional's worst nightmare

Quote Tweet

Aaron Patterson

@tenderlove

Nov 26, 2018

Honestly I'm not even sure what the lesson to learn from this event-stream "event" is. Don't let others maintain your package? Don't trust anyone?

Tony "Abolish ICE" Arcieri

@bascule

Nov 26, 2018

Captain Hindsight sez...

Replying to

Do you feel that that's the responsibility of the maintainer?

Replying to

and

If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.

Replying to

and

Or they should have done the due diligence themselves. Blindly upgrading to a new version of the library from a different maintainer was their choice. How were they even verifying the sources? Doesn't sound like anything was signed, and an account takeover could have done this.

Replying to

and

so I think if NPM encourages semver upgrades then I'm not sure I want to blame people for "blindly upgrading", but I'm not sure I feel comfortable putting the responsibility on the previous maintainer to maintain all of their software, for free, forever

Replying to

and

I don't think someone working on a hobby project for fun can be expected to take security seriously. People depending on it should look into what they're going to be using and who maintains it. There are more possibilities for disaster than giving it to a new maintainer.

11:06 PM · Nov 26, 2018Twitter Web Client