Man, I never hear good security things about npm

Retr0id 6 hours ago | parent | next [-]

This doesn't really have anything to do with npm.

vitamark 5 hours ago | parent | next [-]

anything except that it's malware installed via npm

From the Arch mailing list [0]

>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something

They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.

	▲	notabotiswear 5 hours ago \| parent [-]
		Perhaps there were other vectors, but npm was the one used here. And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.

So true. The JavaScript ecosystem is trash.