more details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan Most likely, a maintainer's GitHub and npm accounts are compromised as these iss...
I always advocate switching to pnpm where install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.
Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.
I always advocate switching to
pnpmwhere install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.