This article talks about “typosquating”, that just means they introduced packages with a similar name to other packages but in this case also containing malicious code.

I expect other package managers to be just as vulnerable to this. The only way I can think of to mitigate this is very strict registry policies, someone checking all version of all packages in the registry to make sure there is no malicious code in them. That would take a lot of effort.

I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.

I don’t believe yarn is any more secure than npm, especially not for this type of attack. Yarn used to be a bit more secure because it checked checksums where npm didn’t, but that has been added to npm as well now (https://sebhastian.com/npm-err-code-eintegrity/)

May all Musk’s businesses have the same results. Amen.

1945: the US defeats the Nazis 80 years later: just kidding, the US became the Nazis.

What are you doing about it? We all know how it’s going to turn out.

Try Dankpods’ YouTube channel, I believe he is into them and has some favourite, though I can’t remember exact model numbers from the top of my head.