This is quite scary, beware.
Backdoor in event-stream library dependency - https://github.com/dominictarr/event-stream/issues/116
@mdallastella Wait a minute, did you read the thread? this is superhardcore!
@mdallastella So, if I understood correctly.
The maintainer (the author of hundreds of npm modules) gave away the NPM access to the module to someone who used the package to make an attack?
WTF am I reading?
@mdallastella Just checked the profile of the "hacker"...
It has like 3 repos, few commits and the profile is so fucking empty. This is so wrong I can't even believe it.
Dominic Tarr dude, maybe the developer who made more npm packages in the world. What the actual fuck?
@mdallastella Also, he made some good points here:
ohh boy, here we go again! So where should I start checking (project dependencies, installed apps on the desktop, ...)?
Is there any tldr?
@dethos I really don't know 😢
@mdallastella Scary indeed, the original author of that library shares some interesting views in this gist: https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a
@pyrho Yeah, I read it, but I can't agree 100% with him.
@mdallastella I guess that's what makes the JS ecosystem so vibrant, that a guy in his garage can share his code with the whole world with no effort on both sides.
It's also normal for people to move on.
I don't know how to fix the JS ecosystem, but the guy makes a point.
If anything, I hope this incident kickstarts projects that aim to fix this.
https://github.com/wilk/snpm is a good idea to solve one of the issue, but it does have any traction...
functional.cafe is an instance for people interested in functional programming and languages.