quarantine 'em

Belated thanks to everybody who independently came up with this horrific idea, and did the sensible thing of burying it at midnight under a new moon instead of acting on it or telling anybody about it. I know I wasn't the only one

I'm tentatively tracing this idea back to the post-install sponsorship message which has been part of the staggeringly widely-used package `core-js` since May 17 of this year, and which I see nearly every day https://github.com/zloirock/core-js/blob/1e14cf0577de17a7410be3f2e8a7ff6f9e15a1b9/packages/core-js/scripts/postinstall.js …

Be right back, inventing uBlock Origin for npm install scripts

At present, the way this ad works is that `standard` has a dependency on another new package, `funding`, which does nothing but print one of a hard-coded group of ads at install time https://github.com/feross/funding/blob/master/messages.json …

So I guess we're not at the point yet where one's machine is dynamically downloading and executing advertisers' code during npm installation. But let's check back in 15 minutes

This is probably a good time to start investigating mitigations for the kind of scenario where an npm install script tries to make HTTP requests

Because an npm install script which dynamically loads ad code is a really amazing opportunity to inject "ad" code which, I don't know, scoops up secrets from the local environment and sends them somewhere

To be clear: we got to this point because people want money. As long as we live in a capitalist society, there's no point where people stop wanting more money. That means ads will eventually permeate every electron of our universe. It is/was inevitable

No amount of revamping open source software funding structures would have prevented this from happening eventually, nor can it make this go away now it's begun