package compromise
2 posts
Article
npm registry shipped 314 compromised packages
314 npm packages were compromised because the consumer install path does not verify publisher identity. The boundary failed at install, not registry.
Article
npm was never a trust boundary
Technical analysis of the Shai-Hulud npm supply chain attack hitting 314 packages including echarts-for-react, size-sensor, and timeago.js.