NPM is owned by github/microsoft. I'm sure they could afford to buy one of these products or just build their own, but clearly security is not a thing they care about.

Somehow I didn't realize GitHub purchased npm in 2020. GitHub is the second word on npmjs.org. How did I not notice?

Microsoft: GitHub, NPM, typescript, VS Code, OpenAI, Playwright

A lot of fingers in a lot pies

I believe someone working there once said “Developers, developers, developers, developers, developers!

Also LinkedIn

Can't help noticing, in the original article:

> The entire attack design assumes Linux or macOS execution environments, checking for os.platform() === 'linux' || 'darwin'. It deliberately skips Windows systems

If I were the conspiracy-minded sort I might jump to some wild conclusions here.

Whoever made the exploit probably doesn’t use windows.

I’m using windows again. By default windows has “power shell” which is not at all like bash and is (how do I say this diplomatically)… wanting.

I mean it says something the developed the Linux Subsystem for Windows, but it’s an optional install.

I watched an interview with Jeff Snover once and he said that they tried to make a unixy bash-like shell a few times and decided it was never going to fit in Windows. So they went a different way and took a lot of inspiration from OpenVMS.

So don’t expect PowerShell to be like a UNIX shell. It isn’t, and wasn’t meant to be one. It’s different, on purpose :)

What dont you like about powershell?

I'm a die hard linux user, and some years ago took a windows gig on a whim. I find powershell fantastic and the only thing that makes my role bearable. Now, one of the first things i install on Linux is powershell.

The awk equivalents in power-shell are horrific.

You don't find awk itself horrific in its own way?

Powershell is amazing. Just don't expect it to be posix. Using objects and structured data is leagues better than string parsing in posix shells imo.

Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR.

on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.

MS doesn't care

> on the other hand, the previous supply chain attack was found by automated tech.

Are you sure about this? Would love to see which ones.

The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later.

The dev later said that Charlie notifying him probably shaved off some very important time for the remediation.

So in this case 2 different companies found it using automated tech before anyone else

Hi, I'm Charlie from Aikido, as mentioned above. Yes, we detected it automatically, and I alerted Josh to the situation on BSky.

There's no reason why Microsoft/npm can't do what we're doing, or any of the other handful to dozen companies that do similar things to us, to protect the supply chain.