| ▲ | nfodor 3 hours ago | |
Open-sourced a tool that catches this: compares npm tarballs against GitHub source. If deps exist in npm but not in git, it flags it. Zero deps. One file. Already detects the hijacked maintainer email on the current safe version. github.com/nfodor/npm-supply-chain-audit | ||
| ▲ | croemer 23 minutes ago | parent [-] | |
You mean you vibe coded something. "Zero deps. One file." People prefer hand-written comments over LLM-written ones. "Already detects the hijacked maintainer email on the current safe version." You simply flag all proton email addresses. | ||