An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet.

(via 🐦gerybernhardt)

@jomo I suspect there's plenty of these areound. Didn't Python have something similar a while back?

I think packaging and even containerisation make auditing harder.

@drwho @jomo Some interesting questions about privileges there. Do you have the CVE?

re: not completely joking / virus scanners / linters Show more

@jomo NPM seems to be more and more problematic. Seems like a week doesn’t go by without a story like this

@jomo its found in the mastodon web client, and also in microsoft's azure cli tool. So that's a pretty wide spread of the internets from corporate to anticorp.

@jomo I've received an announcement from Snyk this morning that the malicious dependency is hijacking bitcoin transactions.

Sign in to participate in the conversation

Fast, secure and up-to-date instance, welcoming everyone around the world. Join us! 🌍
Up since 04/04/2017. ✅

Why should you sign up on

This instance is not focused on any theme or subject, feel free to talk about whatever you want. Although the main language is english, we accept every single language and country.

We're connected to the whole ActivityPub fediverse and we do not block any foreign instance nor user.

We do have rules, but the goal is to have responsible users.

The instance uses a powerful server to ensure speed and stability, and it has good uptime. We follow state-of-the-art security practices.

Also, we have over 300 custom emojis to unleash your meming potential!

Looking for a Kpop themed instance? Try