The "Sha1-Hulud" malware returns in a massive supply chain attack compromising 800+ npm packages. The "Second Coming" variant features a destructive wiper mechanism targeting developer home directories.
The NPM ecosystem has been ripe for this kind of invasion over a decade. And I don’t want to make generalizations or throw shade at a whole class of people, but over the years I have met a lot of very complacent, very naive about security Node devs (some of whom have gotten very frustrated with me for raising concerns about the ecosystem being a ticking time bomb).
I’ve been expecting something like this for years.
The NPM ecosystem has been ripe for this kind of invasion over a decade. And I don’t want to make generalizations or throw shade at a whole class of people, but over the years I have met a lot of very complacent, very naive about security Node devs (some of whom have gotten very frustrated with me for raising concerns about the ecosystem being a ticking time bomb).
I’ve been expecting something like this for years.