Mastodon Feed
Boosted by jsonstein@masto.deoan.org ("Jeff Sonstein"):
nullagent@partyon.xyz wrote:
Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.
Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.
It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.
