gwitter
{harry,whg}.eth π¦π
@sniko_
10 May 2022
Supply chain attacks
May 10, 2022 Β· 11:14 AM UTC
9
93
22
307
Alex Van de Sande (avsa.eth)
@avsa
10 May 2022
Replying to
@sniko_
Why does βforeachβ even needs to be ever updated?
1
{harry,whg}.eth π¦π
@sniko_
10 May 2022
It doesn't π , but I bet there's projects setup with "foreach": "*" in their package.json
1
6
more replies
JLarky
@JLarky
10 May 2022
Replying to
@sniko_
yarn why foreach
Rory McCune
@raesene
10 May 2022
Replying to
@sniko_
cool.... cool, cool, cool. :/
2
Anna ππ #standWithUkraine
@lilaloveslingos
10 May 2022
Replying to
@sniko_
I believe you're looking for this:
https://mastodon.social/@lrvick
@lrvick
9 May 2022
1. Buy expired NPM maintainer email domains. 2. Re-create maintainer emails 3. Take over packages 4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed 5. Enjoy world domination.
5
Amias Channer
@amias
11 May 2022
Replying to
@sniko_
We didn't have this problem so much on CPAN because we had a lot more people testing and checking modules for sanity.
Luigy Lemon
@luigyGT
10 May 2022
Replying to
@sniko_
This thing of the internet was probably a bad idea
2
M Serdar Oygen
@mserdaroygen
10 May 2022
Replying to
@sniko_
Another day another JavaScript shenanigan
1
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="73" height="73"><rect fill-opacity="0"/></svg>)
