A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.
The npm registry maintainers really need to do something about this, feels like a monthly occurrence now.
Particularly in the era where some devs seem to be happily letting Claude go and install whatever dependencies it likes in projects without second thought
The npm registry maintainers really need to do something about this, feels like a monthly occurrence now.
Particularly in the era where some devs seem to be happily letting Claude go and install whatever dependencies it likes in projects without second thought
More like weekly for some months! I’m constantly in security meetings at my job because of this! I hate it.