top | item 45039418

(no title)

jim201 | 6 months ago

Pardon my ignorance, but isn’t code signing designed to stop attacks exactly like this? Even if an npm token was compromised, I’m really surprised there was no other code signing feature in play to prevent these publish events.

discuss

bagels|6 months ago

Code signing just says that the code was blessed by someone's certificate who at one time showed an id to someone else. Nothing to do with whether the content being signed is malicious (at least on some platforms).

unknown|6 months ago

[deleted]