Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy.
Everything prevents you from unpublishing your packages.
What may have started as a simple prank, ended up having bigger repercussions for all authors across the npm ecosystem.
Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package's mere existence on npmjs.com prevents authors-unrelated to this package whatsoever, from unpublishing their packages from the world's largest JavaScript software registry.
These 5 packages gradually manage to pull in every single package present on the entire registry as a dependency.
Each of these sub-packages, ultimately includes about 800 npm projects as their dependency.
Following a 2016 incident though, that entailed left-pad's author removing his npm package in protest, and breaking a large part of the internet, npm made it more difficult for authors to unpublish packages.
One such policy change involved allowing authors to unpublish packages only if no other package on the npm registry is dependent on it.
'Wall of Flippers' detects Flipper Zero Bluetooth spam attacks.
Microsoft discovers critical RCE flaw in Perforce Helix Core Server.
Ledger dApp supply chain attack steals $600K from crypto wallets.
New critical Citrix NetScaler flaw exposes 'sensitive' data.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 04 Jan 2024 09:55:11 +0000