<div dir="ltr"><div dir="ltr">On Wed, Sep 17, 2025 at 7:56\u202fPM Ron <<a href="mailto:ron@bclug.ca">ron@bclug.ca</a>> wrote:</div><div class="gmail_quote gmail_quote_container"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Khalid Baheyeldin wrote on 2025-09-17 14:28:<br>
<br>
> I have always thought that NPM's governance makes<br>
> NPM packages a very insecure platform to build stuff on.<br>
<br>
That could be a governance issue, but "watering hole" attacks aren't <br>
exclusive to NPM and anything that gets popular enough is susceptible.<br>
<br>
If Perl were still popular, CPAN would probably be a target. PyPI has <br>
been targeted too.</blockquote><div><br></div><div style="font-size:small" class="gmail_default"><div class="gmail_default" style="font-size:small">I hear you.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">But popularity alone cannot account for the frequency of these attacks.</div><div class="gmail_default" style="font-size:small">I recall a similar argument being made decades ago about Linux being</div><div class="gmail_default" style="font-size:small">more secure than Windows, chalking it up to Linux not being as popular.</div><div class="gmail_default" style="font-size:small">And that was wrong at the time. <br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">We also have Debian and Ubuntu and other distributions having repositories</div><div class="gmail_default" style="font-size:small">for 30+ years, but similar occurrences are very rare.<br></div></div></div></div>