'No way to prevent this,' says only package manager where this regularly happens

Posted by alligatorplum 4 hours ago

'No way to prevent this,' says only package manager where this regularly happens(kevinpatel.xyz)

234 points | 93 commentspage 2

computersuck 52 minutes ago||

Do not fucking use npm. Stay the fuck away from it. Want to write JS? AI can now write vanilla JS for you with no libraries. Own your code.

p-e-w 3 hours ago||

With the recent high-profile attacks on PyPI packages, it’s no longer true that npm is the “only package manager where this regularly happens”.

In fact, pip is much more dangerous than npm because it lacks a lockfile. uv fixes that, but adoption is proceeding at a snail’s pace.

godzillabrennus 3 hours ago||

UV adoption is happening, though. NPM is still the only name in town.

manquer 2 hours ago||

Huh ? uv is a package manager not a registry.

In JS world there is plenty of competition for package managers pnpm/ yarn/ burn all viable alternatives to npm the package manager.

Public registries for languages tend to coalesce around one service . Nobody wants to publish their library to 4 different registries .

esafak 2 hours ago|||

Apparently it does now: https://packaging.python.org/en/latest/specifications/pylock...

https://pip.pypa.io/en/stable/cli/pip_lock/

But who cares about pip, uv is here.

fragmede 2 hours ago|||

I don't know about snails, but everything I'm in contact with has moved over to uv, and I can't imagine I'm the only one.

lateral5 47 minutes ago||

[flagged]

skeledrew 2 hours ago||

No surprise here. That's what you get when you have a language/ecosystem where core devs refuse to fix fundamental flaws, cuz for them breaking backwards compatibility is the worse crime that can ever be committed. And so all that happens in JS-land will eternally be layering lipstick on the pig in the cesspool. Too afraid of going through something similar to the Python 2 -> 3 fiasco, I guess because too many web devs and site admins would be incensed at being forced to fix their broken universe; as if it isn't already broken in its current condition.

exabrial 3 hours ago||

I really don't understand why the npm project cannot embrace PGP as an ambulatory 'good enough' solution.

loloquwowndueo 3 hours ago||

The NIH mentality in the ecosystem would result in a JavaScript pgp library which itself would be an npm package and subject to supply chain attacks. lol.

panzi 2 hours ago||

A good part of it is already implemented in web crypto, which is supported by browsers and node. There is a chance that npm could implement something there without extra dependencies. Maybe I'm too optimistic?

Gigachad 3 hours ago|||

Would that help? Most of these recent attacks, the attackers have gained access to the system that builds the packages. So it would have just signed the malicious build the same.

raggi 2 hours ago||

nope, doesn't help. signatures and removal of script points have zero net effect on the value of the target that the ecosystem has, or how easy/hard it is to write a worm. the package code gets run, this is statistically true, and the exploited developers/environments will sign packages, this is also statistically true.

saghm 2 hours ago||

Probably the same reason that pretty much no other package manager (or even major email provider, when email is ostensibly the most famous use-case for it) has adopted it: the UX is atrocious.

7e 1 hour ago||

The answer is LLM inspection. Which, sadly, raises the cost of software, especially once evil LLMs start hiding the backdoors better. Long term the answer should be CHERI, in my opinion.

eulgro 2 hours ago||

These satire articles on cybersecurity are really entertaining.

The other one a few days ago was also good: https://nesbitt.io/2026/02/03/incident-report-cve-2024-yikes...

joshka 1 hour ago||

...so far...

qrush 3 hours ago|

[flagged]

rileymat2 3 hours ago||

I read it as a comparison of the attitude of helplessness around it, not the acts themselves. So it was a bit meta, but unremarkably inoffensive.

mikepurvis 3 hours ago|||

I don't think it's comparing them directly or arguing for equivalent seriousness. It is identifying a similarity of mindset where those who have their hands on the levers of power that could materially improve the situation act like there's nothing they can do.

mrandish 3 hours ago|||

But it's not comparing to school shootings, it's satirizing supposedly responsible parties who continue to deny responsibility despite repeated catastrophic failures which are their responsibility.

p-e-w 3 hours ago||

You’re right. Major supply chain attacks affect far more people than school shootings do, and can potentially cost more lives through downstream effects.

It’s 2026. Software is critical infrastructure for global civilization now. Lives and livelihoods depend on it working reliably. The “it’s just bits on a computer” quip has been outdated for 20 years now.

More comments...