| ▲ | _pdp_ an hour ago | |||||||
Why blame on NPM? Would you blame GitLab if an opensource maintainer was hacked and as a result the repo contains malicious changes? All of these recent incidents is just developers doing stupid things ... like using their compromised devices for making production changes, which is basically a big red flag to begin with. In fact, the entire situation has been exacerbated by coding agents because now practically everything happens on a single device that touches hundreds of different production systems with full production credentials. | ||||||||
| ▲ | gred 38 minutes ago | parent [-] | |||||||
Days since last malicious packages in NPM: 0 (evergreen) Days since last malicious packages in PyPI: 30 Days since last malicious packages in Maven: 120 I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search. | ||||||||
| ||||||||