alt Hacker NewsThe concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.
And I am genuinely thinking to myself, is this making using npm a risk?
Replies
Ygg2 • yesterday at 11:11 AM
NPM is the largest possible target for such an attack.
Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.
Just use dependency cooldown. It will mitigate a lot of risk.