Yo, someone at npm needs to unpublish simple-swizzle@0.2.3 IMMEDIATELY. It’s still actively compromised.

It's been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn't able to yank the malicious versions AFAIU.

If there's any ideas on what I should be doing, I'm all ears.

EDIT: I've heard back, they said they're aware and are on it, but no further details.

	▲	alper 3 days ago \| parent \| next [-]
		NPM is a Github company and when there was a relatively serious attack in Github Actions a while back there was also pretty much zero response from them. Github is SOC2 compliant, but that of course means nothing really.
	▲	lambda 4 days ago \| parent \| prev \| next [-]
		They have yanked the bad version of simple-swizzle by now, which was the last of the packages that I was tracking. It took them quite a long time to do so.
	▲	9dev 4 days ago \| parent \| prev \| next [-]
		My god. The npm team should urgently review their internal processes. These two hours of neglect will cost a lot of money downstream. At this stage, they act nothing short of irresponsible.
	▲	dabockster 4 days ago \| parent \| prev [-]
		I haven't published anything to npm in over a decade. But if you still have access to git, a cli, or a browser where the login is cached and you can access it, you should do so and either take the code down or intentionally sabotage/break it.

▲

greatestdevever 2 days ago | parent | prev [-]

I can not find the package anymore. I think someone did it already.