this post was submitted on 01 Jun 2026
80 points (97.6% liked)
Cybersecurity
10044 readers
198 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't really see how it's NPM at fault here. This was caused by a malicious actor taking control of an account and putting out bad packages on it. It could happen on any package repository for any language
Trust by default for a atomic packaging system. Entirely NPM's fault.
My understanding is that for most package managers the signing keys are held by a smallish number of maintainers responsible for entire sections, who presumably keep those accounts pretty tightly secured. Not impossible to take over, but it's a smaller attack surface.
While for NPM as far as I know every uploader keeps their own account and there's not even signing keys to lose control of.