Techly NewsGet the app

Get the latest tech news

Oh no, not again a meditation on NPM supply chain attacks


For enterprise software, the software supply chain presents some of the biggiest risks today to data privacy and security.

Each release of Internet Explorer added something new to the browser landscape, but it also continued to add bugs and flaws on top of the ones that no one touched – by default, on all Windows systems lived code that could give hijackers access to users machines. My frustration at the time was aimed mostly towards npx itself – it seemed like the NPM team were adding a new easy-to-use attack vector by shipping a tool that could run any module from any source on the web, on your machine without user interaction. There was also a lot of early abandonment of libraries, and communities started to form around some of the larger ones to at least establish them as de facto tools – Express.js for example has been around since before npm(and for all the complaints about performance aimed at it: it’s highly battle tested and the worst bugs have likely been squashed).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of npm

npm

Photo of meditation

meditation

Related news:

News photo

Which NPM package has the largest version number?

News photo

Hackers left empty-handed after massive NPM supply-chain attack

News photo

You too can run malware from NPM (I mean without consequences)

« Fiverr cuts 30% of staff in pivot to ‘AI-first’
This Giant Subterranean Neutrino Detector Is Taking On the Mysteries of Physics »