Hacker News new | past | comments | ask | show | jobs | submit login

This is probably the worst security problem ever in the JS ecosystem. Any npm package could be corrupted, and we wouldn't even know it if the original maintainers don't pay attention to new releases anymore.

Still some people argue if this deserves its own CVE.




That's just... not what CVEs are for. It's not a matter of how serious the issue is. CVEs are for distributed software, not for services.


the other one that gives me the screaming heeby-jeebies is the wave of maintainers that are going to get bored of being abused for no pay and sell their maintainer rights to malware authors. Or to seemingly-nice people who will then sell it to malware authors.

Though this does give them a shortcut.No need to bribe some aging, disenchanted nerd to sell their soul when you can just impersonate them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: