[kwlug-disc] NPM supply chain worm
Khalid Baheyeldin
kb at 2bits.com
Wed Sep 17 20:23:10 EDT 2025
On Wed, Sep 17, 2025 at 7:56 PM Ron <ron at bclug.ca> wrote:
> Khalid Baheyeldin wrote on 2025-09-17 14:28:
>
> > I have always thought that NPM's governance makes
> > NPM packages a very insecure platform to build stuff on.
>
> That could be a governance issue, but "watering hole" attacks aren't
> exclusive to NPM and anything that gets popular enough is susceptible.
>
> If Perl were still popular, CPAN would probably be a target. PyPI has
> been targeted too.
I hear you.
But popularity alone cannot account for the frequency of these attacks.
I recall a similar argument being made decades ago about Linux being
more secure than Windows, chalking it up to Linux not being as popular.
And that was wrong at the time.
We also have Debian and Ubuntu and other distributions having repositories
for 30+ years, but similar occurrences are very rare.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250917/66579d73/attachment.htm>
More information about the kwlug-disc
mailing list