A major international bank accidentally published a private package of their own to the public npm Registry, took *3 years* to notice, and then sent DMCA takedown notices to Amazon and Cloudflare for hosting "stolen code". Now I have to pay a lawyer to explain this to them.
Conversation
We sell a thing that prevents this kind of mistake, it is called npm Enterprise, you should all really look into it instead of making me spend money to explain how npm publish works to your lawyer.
3
32
405
(I should make clear that this kind of legal confusion happens ALL THE TIME and is a genuine source of overhead in running the registry)
3
23
298
Our lawyer is also going to need to explain to a bank why a React package does not constitute "Stolen Financial Credentials" oh lord
14
50
546
Show replies
This is the exact reason why where I work, the corporate proxy prevents pushing to npm and all publication of company code is done through a regulated delivery pipeline.
I hope this won't cost npm too much :(
1
1
32
The package in question contains a README with details of the company's own proxy for the same purpose, so presumably such measures are not 100% effective.
2
4
134
Show replies
Wouldn't be at all surprised if an internal dev within the bank could have explained it to the legal team, if only they had been asked.
1
1
41
I think said dev was too busy hoping nobody noticed they'd accidentally published bank IP to the public internet.
2
3
110
Show replies
Show replies




