"saved by procrastination!" made me smile.

One of the common cases of being offline first, disconnected etc. pays off.

Don't rush. Work on Hawaiian clock!

My open source projects were not affected but close call. I was using 2 of the dependencies (as sub-dependencies) but older versions. Seems that my philosophy of minimizing the number of dependencies and looking up dependency authors is paying off.

I saw this kind of thing coming years ago. I never understood why people were obsessed with using tiny dependencies to save them 4 lines of code. These useless dependencies getting millions of weekly downloads always seemed very suspicious to me.

WebAuthN/fido/passkey should be mandatory to publish a package with >N downloads. Email and TOTP codes can be MITMd.

"A little duplication is better than a little dependency"

- Golang Proverb (also applies to any other programming language...)

Lazy conclusion. People can and have been validating dependencies. We need an npm proxy with validated dependencies.

Trying to read this on Brave on Android and I couldn't get past Anubis. Does anyone else observe the same?

`Object.getPrototypeOf(obj)[Symbol.iterator] !== undefined`

There I fixed it. Now I don't even need the package array-ish!

How much money did the attackers make?

We didn't dodge anything, this is just 1 of 1000 publicly found and reported on

Allowing just anybody to rent npmjs.help feels like aiding and abetting.