NPM library with 2m installs has a backdoor, looks to be some kind of Trojan (stealer?)https://github.com/dominictarr/event-stream/issues/116 …
-
-
git verify-commit & get verify-tag process the signature on the commit / tag. It might even throw an error for you or tell you a signature couldn't be verified, indicating tampering. Signature has to be there to check for ithttps://stackoverflow.com/questions/17371955/verifying-signed-git-commits …
-
And in this alternate universe where the author had signed his code before GIVING THE REPO TO SOMEBODY ELSE, this code wouldn't have been affected? And nobody using npm would have received the malicious updates?
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.