alt Hacker NewsThe problem isn't specific to node. NPM is just the most popular repo so the most value for attacks. The same thing could happen on RubyGems, Cargo, or any of the other package managers.
Replies
vintagedave • yesterday at 11:03 AM
The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.
And I am genuinely thinking to myself, is this making using npm a risk?
➕ show 2 replies
PunchyHamster • yesterday at 2:17 PM
Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.
NPM has about 4 million packages, Maven Central has about 3 million packages.
If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?