steal-ur-stuff VS event-stream

I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff

It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724

postinstall malware I reported almost 7 years ago with npm - that it can run any arbitrary script locally or remotely.

I should really get around to how I discovered this 6 years ago and still nothing done about it

Whenever something like this comes up I usually have to tap the sign (and the original report)

Ahh this old one - I wrote a similar package a while back as a proof of concept that npx is a bad idea 5 years ago - the developer at npm at the time told me it wasn't a problem.

Please don't do this and never make it an actual dependency.

Not only that it can run arbitrary code contained in a Gist and I showed this 4 years ago https://github.com/tanepiper/steal-ur-stuff

[3] https://github.com/tanepiper/steal-ur-stuff

Another possible outcome of "I gave commit rights to someone I didn't know": https://github.com/dominictarr/event-stream/issues/116

Whole npm ecosystem is so fragile.

Remember event-stream[1]? Did we learned something from that? Yes, we might. So was it improved? Never. People are still installing 'new' colors package and wondering why its texts are broken.

What if he uploaded malicious code rather than just just gibberish?

[1]: https://github.com/dominictarr/event-stream/issues/116

foo-bar version 1.0 depends on bada-boom 1.0 which depends on bada-bing 1.0. Now you update to foo-bar 1.1 because of some critical update, which in itself now depends on bada-boom 2.0 and bada-bing 2.0. But unbeknownst to you and the author of foo-bar, the bada-boom and bada-bing project was taken over by another maintainer who made an update, but also added some trojan horse code to specifically attack certain users, which was obfuscated and remained undetected. Which has happened before - not just browser extensions are affected by malicious attackers taking over useful projects.