from Hacker News

Embedded malware in ua-parser-JS (NPM package)

by carbonboarder on 10/25/21, 7:00 PM with 1 comments

• by chrismeller on 10/25/21, 8:46 PM

  I’m a (begrudging) TS/Node developer who has previously spent over a decade in the .Net ecosystem, and I would like to point out that this kind of @&/%} doesn’t happen in other ecosystems.

  It should not take a 3rd party like GitHub to notify you that there’s a security hole in a hugely popular package. If the NPM registry can’t do any better self-policing than they already do, they should at least start tagging packages with “verified” or “official” like Docker does.

  I would also say they should start advocating for experienced developers. The “even or odd” package getting hacked should have been a call to order, but apparently it wasn’t.