In light of ua-parser-js, when will npm finally get serious about security and require cryptographically signed packages like maven central? Until it does, it is still just a toy ecosystem, not fit for production, IMHO.


I agree with the sentiment (npm is beyond useless). I don't know Maven well. How would signed code help here? (actual question)

I suspect the problem may be inherent to package managers that don't curate developers (Debian-style).

As I understand it, the developer's account was breached (pw bruteforce, or email, or session leak?) and then a package uploaded through normal means.


@wakingrufus Accounts could require a crypto key via admin UI (like ssh and git platforms), but presumably between uploader and npm only. Unless users validate every developer key (too many, blind acceptance), or if npm restricts access to only a small number of vetted developers for which they auto-resign with a shared key (like Debian).

If for upload only, attacker changes key and uploads anyway.

npm do support requiring 2FA for login and pkg upload. Would that have stopped it? (2/2)

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!