Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.
You must log in or # to comment.
npm is bad
It’s definitely got the worst defaults compared to the alternatives.
pnpm, Bun, and Deno have all made better choices about their defaults. pnpm blocks postinstall scripts, Bun requires explicit opt-in for them, Deno’s permission model is restrictive by design.
