Brenton Cleeland

npm security is a bit of a dumpster fire. Github blog post.

The two security issues fixed here (in the order they're presented, which is half way down the page and in the reverse of the severity):

  1. Private package updates were being published to the public stream of updates for over a week. Leaking company / package names, which is perfect information for namespace clashes.
  2. An issue that allowed "an attacker to publish new versions of any npm package using an account without proper authorization". Literally a vulnerability that let an attacker update any npm-hosted package.