Profile picture
Gary Bernhardt @garybernhardt
, 9 tweets, 2 min read Read on Twitter
An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet. github.com/dominictarr/ev…
There are basically two camps in that thread.

1) This is the original maintainer's fault for transferring ownership to someone they didn't know and trust.
2) Ownership transfer was fine; it's your job to vet all of the code you run.
Option 2 (vet all dependencies) is obviously impossible. Last I looked, a new create-react-app had around a thousand dependencies, all moving fast and breaking things.
Option 1 (a chain of trust between package authors) seems culturally untenable given the reactions in that thread, including from well-known package authors.
There was an option 3: don't decompose your application's dependency graph into thousands of packages. People who argued that position were dismissed as (to paraphrase heavily) old and slow. That ship has sailed, and now we're here.
We knew that this was coming. hackernoon.com/im-harvesting-…
Why did this happen to NPM and not another system? Partly, NPM is just a big target. But partly because NPM modules are tiny, so there are more modules and maintainers, which means more attack surface area. Create-react-app 2.1.1 installs 1,770 dependencies (excluding dupes).
This package's author owns 423 packages on NPM. That doesn't include all of the ones that they authored, but are now owned by another maintainer.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gary Bernhardt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!