Man, I never hear good security things about npm
This doesn't really have anything to do with npm.
anything except that it's malware installed via npm
From the Arch mailing list [0]
>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something
[0] https://lists.archlinux.org/archives/list/aur-general@lists....
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
Perhaps there were other vectors, but npm was the one used here.
And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.
So true. The JavaScript ecosystem is trash.
This doesn't really have anything to do with npm.
anything except that it's malware installed via npm
From the Arch mailing list [0]
>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something
[0] https://lists.archlinux.org/archives/list/aur-general@lists....
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
Perhaps there were other vectors, but npm was the one used here.
And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.
So true. The JavaScript ecosystem is trash.