Let me provide context, since a bunch of people responding with "every package manager can be hit!!!" npm, by design, allows all packages to run package supplied arbitrary code as the logged-in user after an update completes.

That's an INSANE default. pnpm, by contrast, allows you to essentially "opt-in" only specific packages that need this (e.g. four out of thirty, in one of our projects). Then tacks on tons of other security settings, like minimum age, no trust downgrade, etc etc.

All attackers can attack packages by updating how a package functions; but npm is particularly problematic as it runs non-sandbox scripts as the calling user. Putting not just your project at risk, but your entire machine/network.

And this stuff has been known about for YEARS, they've taken no action.

The big attacks of today are spread across several package ecosystems: TrapDoor and Shai-Hulud have been hitting npm, pypi, composer, and crates with the same malware.

People make this joke often. It's package managers and how loose we are with installing them, not NPM.

Cargo,PyPi,Nuget,PHP has had these recent too.

It's not just only NPM. It's frequently repeated here just cause of the average bias against Node.

But this problem isn't isolated to NPM.

Ask and you shall receive: https://xeiaso.net/shitposts/no-way-to-prevent-this/supply-c...

Last 30 days:

PyPI, May 11. [1]

Crates.io, May 22 [2]

Composer, May 22 [3]

[1] https://www.tenable.com/blog/mini-shai-hulud-frequently-aske...

[2] https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-cra...

[3] https://phoenix.security/laravel-lang-composer-supply-chain-...

PyPI and Cargo are, 100%, vulnerable to this same class of compromises. That NPM sucks isn't a statement that everyone else doesn't.

There’s actually a blog post with that exact title.

https://kevinpatel.xyz/posts/no-way-to-prevent-this/

https://news.ycombinator.com/item?id=48155690

Npm developers can relate to Windows being a target because it’s the most popular package manager.

Why would you target xyz pkg niche manager knowing that only 200 people will install them?

NPM does perform active offline & online vuln scanning on the packages. Everyone can do more, but they are going to be the #1 target.

tbf this is happening with a lot of package managers now, including pypi and composer

I've deleted and am rewriting this, to be more explicit, because HN downmodded the first comment to hell but I know I'm right and the crowd is wrong.

So, explicitly:

- pip

- Cargo

- apt/dpkg

- dnf/yum

- Homebrew

- RubyGems

- Composer (limited)

- Maven

...all allow scripts.

We understand the reference, it's just not correct: most package managers allow scripts, npm is the most successful package manager.

npm shouldn't allow scripts, but exploits happen everywhere.

All programming language package managers are vulnerable. They all have the exact same caveats as the Arch Linux User Repository. There are no trusted maintainers taking responsibility for things. Any random person can make an account and push packages.

Please stop posting this on every single security incident thread with npm. It was funny once, it's just rehashing the same debate over and over.