Major bank accidentally published a private package to the public NPM Registry

This is bad design. I may have come close to doing this as well for the same reason. There is no reason why NPM should auto-register you when you attempt to publish (or auto-register when you attempt to sign in) other than to remove a few steps/friction to make it seem like a nice experience.

Explicit vs. Implicit : always choose explicit if accidents can cause people serious pain. npm login that is secretly npm "create account" is a serious anti-pattern. And npm publish -> npm login -> npm create account is a consequence of that.

It would make sense to print the registry before asking for the new version in `yarn publish`, so that you get a chance to double-check that the publish target is what you expect. Will open a PR for the 1.16, unless someone beats me to it :)

> What saved me was that the package was inside an organisation ("@foo/bar") and those are not free on NPM...

(Public) Orgs _are_ free on NPM (at least nowdays) so maybe even that wouldn't have saved you.

Yeah, when I first started playing around with node I accidentally published one of my "hello world"-like apps to NPM's public registry. There was definitely no warning or indication of the severity of the action I was undertaking.

It's an easy mistake to make. What is concerning is that the bank didn't notice for three years... I feel like that should have been caught a lot sooner.

These days, I would never run publish myself in a corporate environment. A script that is triggered on pushing tags should take of that to precisely avoid such human errors. And of course changes to this script have to be reviewed.

Also, a .rc file (package manager chosen by the team) with a private registry that refuses to publish unless done automatically by the pipeline set in the root of every project.

The only reason I find it understandable how it could happen at a major bank (these days, they should have a sizeable team that takes care of security measures like I described) is that this was 3 years ago. Publishing to private registries was relatively new back then, so people didn't have proper publishing workflows yet.

I mean... I guess mistakes can still happen. But on a scale of 1-10, I would find such a mistake far less excusable today considering the circumstances. Small, inexperienced team, maybe constant deadline pressure - more excusable. Duh...

Wouldn't `npm unpublish --force` revert this? If you provided an email you'd get a notification about a published package so you'd notice immediately even if you didn't at first.

If this happens often, perhaps the user interface for npm publish needs to change? I mean, that's the only thing I can see mitigating this, with like a nice dialog that says "hey, are you REALLY REALLY sure and have you consulted lawyers on this???"

Or something to that effect. Or maybe companies can just pony up for NPM Enterprise which fits their use case.

Adding 'private: true' to the package.json prevents publishing to _any_ registry, including a corporate proxy. Adding a string or regex option for private that would only publish to matching registries may prevent issues like this.

I ask for regex only because our corp proxy binds to a random port reach time it runs so a static string wouldn't be flexible enough.

How much of them sending takedown notices was a desperate posturing of "omg please please please please don't use our code!!!"

I can't possibly see how they would possibly have any case.

That reminds me of a hosting client I used to have, which we got a DMCA takedown notice for: "They are using our software without a license." I replied: "They are a local reputable University, have you tried contacting them?" "I wasn't able to get ahold of them." "You weren't able to get ahold of a UNIVERSITY?!?" "Well, I didn't really try. I'm a subcontractor, in another country, and can't afford to make phone calls about it."

I had also reached out to our client contact. They contacted the CMS company, provided them with the license information, and then switched to another CMS.

Maybe that's the difference between a specialist and a generalist. A lawyer who has experience and expertise working with the software industry is unlikely to make those kinds of silly mistakes. A lawyer who has no software industry experience, who just does general business law, contracts, real estate, wills, etc, who maybe even has some industry-specific experience in other industries like finance or manufacturing or construction, and thinks "software can't be that different"–that is the kind of lawyer who is far more likely to demonstrate that species of ignorance.

I couldn't agree more. I've yet to attend a meeting between legal and tech ops that hasn't been traumatizing for just about everyone involved.

I think lawyers need to talk amongst themselves more; there are certainly even ones who specialise in open-source.

He was also concerned that we were letting people 'View Source' our web pages and stealing our IP.

...and here is where the DRM advocacy comes in. Don't let them ruin the Internet...

You're very lucky if that's all they did. Lawyers sometimes engage into legal pissing contests that can drag on for months on end. There's nothing more infuriating as a sales than two attorneys dragging their feet over legal minutia while literally everyone else (you and your team, your future customer and their team) would like to move forward and get started.

I think that’s the perfect opportunity to let people in the enterprise world you have a solution for their problem. I wouldn’t expect any software targetted so specifically at enterprise to be free, and reaching the IT department of big companies to sell them your solution is a real pita.

So, good job.

They're a little SMH'd over this. And they have to pay their lawyer to deal with it. This cost them money so it is completely appropriate to mention Enterprise.

How would you prefer free software be funded? :-P

And on a little website known as Github there is a lot more :) (and Google Search stays the #1 reliable source of private data followed by AWS S3).

Even with this, people are dumb. It's probably not a case of "we didn't realize we were publishing to" and instead a case of "some dev didn't realize this was a bad idea".

You'd think it's like, some proprietary trading algorithm, but in reality it's probably their own implementation of left-pad.

I also work at one of the top tier banks but I’m not quite as doom and gloom as you. (Maybe I’m one of the 1.01011% – finally!)

It’s certainly true that some security practices within our organization seems more like security theater than anything else, but overall I think they have pretty reasonable standards and requirements set. It is very true though that the culture is almost entirely focused on compliance more than anything else, so there’re few proactive measures taken by teams. Lord knows no team I’ve ever seen outside of security wants to budget for it. Maybe it’s a damned if you, damned if you don’t kind of situation. If you don’t set compliance regulations you’ll get no security (move fast and break things, yay!) but if you do you end up with people ticking boxes saying “the thing is secure and stuff yo” and then play the blame game when it isn’t.

My feeling though, having worked with top tier banks in the financial industry for the last 8 years or so, is that more people are competent than not, but process stifles creativity and drive a lot of the time. It’s a very special kind of environment to work in.

As someone who also works at a bank (though not a large national one) I get the same feeling, though I understand it to an extent. Not complying to bank standards means you get dinged if you get audited. Getting dinged means you will most likely get your budget cut by an amount next quarter. Or get the group "reorganized".

Do you own @corp-internal or is it otherwise blacklisted?

What stops someone from creating that account and owning that org?

They wouldn’t believe it’s real at $35.

Maybe $35/byte. Then the lawyers could haggle, get it reduced to $35/non-white space byte, and feel like they accomplished something.

Some companies like to practice security through obscurity. So you might be worried that someone trying to exploit the system would have an easier time testing effective exploits.

Another thing is the code itself, you don't want competitors seeing your implementation if you feel that it gives your company an advantage over others. There may be data structures or algorithms that are internal company knowledge only and defined in the code.

npm doesn't allow you to delete a package once it has some downloads to prevent another left pad incident. I'm sure they can make exceptions, but it's not as simple as a quick CLI command.

You would think so, but perhaps they didn't have the credentials.