<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Ahhh NPM the spice of life\u2026.<br id="lineBreakAtBeginningOfSignature"><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On Sep 17, 2025, at 7:02\u202fPM, Khalid Baheyeldin <kb@2bits.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">\ufeff<div dir="ltr"><div><div style="font-size:small" class="gmail_default">I have always thought that NPM's governance makes </div><div style="font-size:small" class="gmail_default">NPM packages a very insecure platform to build stuff on.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">For years, whenever I have encountered a nifty piece </div><div style="font-size:small" class="gmail_default">of software that I need, but it requires NPM, I would </div><div style="font-size:small" class="gmail_default">definitely pass.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Now there is another example of a supply chain attack where <br></div><div style="font-size:small" class="gmail_default">a self replicating worm (dubbed Shai Hulud, Dune fans will </div><div style="font-size:small" class="gmail_default">know the relation).</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><a href="https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html">https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html</a></div><br clear="all"></div><div style="font-size:small" class="gmail_default"><a href="https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack">https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack</a></div><div><br></div><div><div style="font-size:small" class="gmail_default"><a href="https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again">https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again</a></div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Khalid M. Baheyeldin</div></div>
<pre>_______________________________________________<br>
kwlug-disc mailing list<br>
To unsubscribe, send an email to kwlug-disc-leave@kwlug.org<br>
with the subject "unsubscribe", or email<br>
kwlug-disc-owner@kwlug.org to contact a human being.<br>
</pre></div></blockquote></body></html>