upvote

points

by elwebmaster19 hours ago |
comments
upvoteby PufPufPuf18 hours ago|
next
[-]
Nothing to do with nom itself. This sort of scam would have worked with many different technologies, even a Makefile.
reply
upvoteby Joel_Mckay15 hours ago|
parent|
[-]
Cat related technology like noms and toe beans are immune to this exploit. =3
reply
upvoteby bodash9 hours ago|
prev|
next
[-]
fyi npm 12 will have securer defaults https://github.blog/changelog/2026-06-09-upcoming-breaking-c... but it will be a while for ecosystem to catch up and npm reputation already damaged
reply
upvoteby gitaarik13 hours ago|
prev|
next
[-]
How does npm differ from any other package manager in that sense?
reply
upvoteby OrangeMusic12 hours ago|
parent|
[-]
They typically don't execute arbitrary code when setting up the project.
reply
upvoteby mDyJzDPmBdG9 hours ago|
parent|
next
[-]
If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project. NPM attacks are really product of its popularity (and update churn that community already got used to).
reply
upvoteby 10 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby mock-possum16 hours ago|
prev|
next
[-]
Because uh every OS on earth has the exact same vulnerabilities? How are you supposed to stop a user from downloading something random from the internet and running it?
reply
upvoteby Joel_Mckay15 hours ago|
parent|
[-]
Some posix like systems mount /home with noexec in fstab.

Practically, most systems leave it off because many out-of-band user space script language package ecosystems stop working. =3

There are also adaptive application firewalls that are user friendly.

https://github.com/evilsocket/opensnitch

reply
upvoteby IshKebab12 hours ago|
parent|
[-]
noexec clearly isn't going to help if you run untrusted JavaScript...
reply
upvoteby Joel_Mckay11 hours ago|
parent|
[-]
Sometimes, but nodejs or npm won't work properly without the headless chromium VM, and would need bypassing local file-access security-sandbox restrictions most normal system Web-browsers enforce by default.

If root installs OS supported VM packages, than it would be pointless to complain the system runs as expected. As a sentient turnip, I probably wouldn't know for sure... =3

reply
upvoteby Joel_Mckay15 hours ago|
prev|
[-]
npm is hard to avoid, as other ecosystems have integrated it as a cross-platform build/installer script bootstrap.

Indeed, all things nodejs are usually a dumpster fire at a hair salon, but the real point here was people always inherit whatever the previous cheapest labor built at that office. Also, usually people don't get to make architectural decisions for a long time. =3

reply