>The popular npm package "is" was infected with cross-platform malware

>The malware captures data including all environment variables (often a source of secrets such as credentials), exfiltrates them via a WebSocket connection, and provides the attacker with an interactive remote shell. The malware runs on Node.js on macOS, Linux and Windows, and persists itself if possible by overwriting an index.js file so that even deleting the node_modules directory, which stores downloaded packages, will not remove it.

https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/

>>106007909 (OP)
how the fuck does this happen?

aren't there supposed to be like 10 jannies on GitHub checking every PR before merging?

>>106007909 (OP)
>The popular npm package "is"
Is this something "is-even"?

>>106007933
Apparantly maintainers fell for phishing attacks so the malware was introduced using their maintainer accounts

>>106007948
It's a 3rd party package for type checking
>javascript

>>106007961
I wish this shocked me

>>106007909 (OP)
> more npm malware
npm was a mistake and the people responsible for it and using it.. may god have mercy on their souls.

>>106007909 (OP)
open source equals better security if we lived in the FSF fantasy world where everyone is an expert programmer with unlimited free time and audits don't cost money

>>106009946
>FSF
>Open sores

>another shitty bait thread where the low IQ OP and his lower IQ followers preaching the evils of "freetardism" ignore the part where it was spotted neigh instantly and revoked with little to no damage

the reality is, in a closed ecosystem, there are even LESS people who can spot this shit at all and even less people you need to target to infect it.