Post B0bYoiS7mYIp7v77dw by jcoglan@mastodon.social
 (DIR) More posts by jcoglan@mastodon.social
 (DIR) Post #B0bYoeQuj6xQf0W6CW by jcoglan@mastodon.social
       2025-11-25T10:30:36Z
       
       0 likes, 0 repeats
       
       it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
       
 (DIR) Post #B0bYog3agnUPhFcV7o by jcoglan@mastodon.social
       2025-11-25T10:31:10Z
       
       0 likes, 0 repeats
       
       I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
       
 (DIR) Post #B0bYohY78nV2KCuOLA by jcoglan@mastodon.social
       2025-11-25T10:33:26Z
       
       0 likes, 0 repeats
       
       as long as npm continues to allow any form of unsupervised publishing, this will continue to be a problem. I don't think that reducing token lifetime will help; it is an annoyance that people will just work around. you have to *require* the active participation of the publisher
       
 (DIR) Post #B0bYoiS7mYIp7v77dw by jcoglan@mastodon.social
       2025-11-25T10:36:14Z
       
       1 likes, 0 repeats
       
       this doesn't mean you can't *automate* publishing; there's a lot to like about automation and I won't pretend I love doing my publishing "manually". but you do need it to be *actively supervised* and prove that the package owner has specifically authorised each release