| ▲ | junon 4 days ago | |
It's been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn't able to yank the malicious versions AFAIU. If there's any ideas on what I should be doing, I'm all ears. EDIT: I've heard back, they said they're aware and are on it, but no further details. | ||
| ▲ | alper 3 days ago | parent | next [-] | |
NPM is a Github company and when there was a relatively serious attack in Github Actions a while back there was also pretty much zero response from them. Github is SOC2 compliant, but that of course means nothing really. | ||
| ▲ | lambda 4 days ago | parent | prev | next [-] | |
They have yanked the bad version of simple-swizzle by now, which was the last of the packages that I was tracking. It took them quite a long time to do so. | ||
| ▲ | 9dev 4 days ago | parent | prev | next [-] | |
My god. The npm team should urgently review their internal processes. These two hours of neglect will cost a lot of money downstream. At this stage, they act nothing short of irresponsible. | ||
| ▲ | dabockster 4 days ago | parent | prev [-] | |
I haven't published anything to npm in over a decade. But if you still have access to git, a cli, or a browser where the login is cached and you can access it, you should do so and either take the code down or intentionally sabotage/break it. | ||