NPM library with 2m installs has a backdoor, looks to be some kind of Trojan (stealer?)https://github.com/dominictarr/event-stream/issues/116 …
-
-
To be fair there isn't really a good web of trust set up around stuff like this. One of my most popular packages on GitHub is maintained by someone else now (but it's not a npm package) who offered to take it over when I no longer worked on it.
-
Is it really so hard to sign your commits? Does that not help? Does that not at least aid discovery of tampering in the repo? https://zach.codes/setting-up-gpg-signing-for-github-on-mac/ …pic.twitter.com/7ld1w3Llxb
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.