Widely acceptable package's need more security and authorship!
I believe engineer's will soon further realize it's the responsibility of the authors that make a community trustworthy.
I've been an avid customer of the Security Platform Synk for many years inorder to keep project's safe with recent patches, updates and miscellaneous cyber news for software engineering.
The most reason incident involving the NPM packages being compromised in TanSack has been a major eye opener.
I'm a fan of React JS.
As a developer, or engineer or hobbyist, you depend on packages for your development strategies.
The idea of people producing destructive packages and getting the package signed and distributed is the fault in the authentication and legitimate authorship of packages.
This is a deeply unfortunate reality for companies such as NPM since these companies become larger and fail to be audited.
The moment, a package management system becomes vulnerable due to consistent attacks or hijacked attempts — We hope the companies working on the incident are communicating with many different opinions.
In the concept of software development during the time before AI.
Many developers would never publish information related to configuration and setting up infrastructure online.
Since the developers understood the internet was widely understood as dangerous and untrustworthy.
Package manager's do provide value however they become subject to attack.
In the modern day technology field we see today. Documentation has been made to be more accessible.
The truth is the incident did have a negative effect.
"malicious npm package artifacts were published across 42 packages in the
@tanstacknamespace" authored by Synk.
If the package artifacts had been built to be malicious.
The NPM package is considered to be a "WORM" which continuously looks to steal Github tokens and credentials.
The Worm is built to target locations commonly known for your applications.
For instance, critical configuration file locations in AWS or ai agent setting locations in vs-code.
Naturally many people wouldn't like pointing the problem to be related to AI.
However, after an incident which bypassed NPM's publishing and authorship.
The problem is clearly due to AI having access to the same information as developers.
Since many major platforms require setup and have general information like configuration locations found online.
AI has the ability to search online making "Worms" easier to create.
A problem like this could and will alter how people build in the future of app development.
One would say the talented developer's have a deeper problem than building websites for their customers.
For instance if an NPM package was able to be purposely built for negative and destructive behavior and get through the authorship and ownership verification systems of NPM.
The same "WORM" NPM package was published to a package management system without being blocked.
We can conclude, Authorship has failed, Ownership has failed and Trust has been put at risk.
NPM packages are written entirely in JS that can reach millions of downloads in a week.
These same packages can and are becoming even more vulnerable due to the nature of AI.
When was the last time approvals or hiring practices changed to better protect the authorship of developers and prevent malicious packages?
Since the recent incident — The worm (Mini Shai-Hulud) attempted to find Github credentials through a published NPM package.
The worm (Mini Shai-Hulud) shown to have utilized AI Agents to spread further.
Always Trust in certified security professionals like Synk to be handling business appropriately and help the small engineers move forward.
Vulnerable AI Agent's
Any time software can run and execute code autonomously, logging and authorship need to be considered.
A new battlefield.
In Conclusion
As you become a developer with more responsibilities, remember to be respectful of authorship and ownership.
Creating destructive application and attempting to access unauthorized projects only damages the community further.
Reputation matters more when you are authoring your very own original ideas and better solutions to help people grow.
We are writing to help our community of beginners and advanced developers grow.
We're grateful for your readership and your following.
P.S. If you're a fan of Medium as much as we are, consider supporting me and the thousands of other writers on ko-fi.
It only costs $8 for a coffee, and it supports us writers. Thank you, Greatly.