21:54

Ah, NPM has been hit again by another dev putting rogue code in one of his modules. This time to protest the war in Ukraine by deleting files on machines with a Russian IP address.

Of course, this kind of thing could hit all programming languages with a package management system, but it seems to primarily happen with NPM. Why? Simple, JavaScript was never intended to be used for anything but DOM manipulation. It’s a toy programming language without a type system and the lack of that makes it a popular choice for beginners and career jumpers. As a result, there are plenty of programmers out there, who can barely stitch together software by copy&pasting solutions from Stackoverflow (but still insist on being employable, after finishing a coding bootcamp).

When that’s your culture, it follows that your package repository gets littered with tons of trivial modules by obscure developers, looking for a fast and easy way to build a portfolio. Of course, they don’t get the desired exposure, when their module becomes a second or third level dependency in someone else’s project, but they do get leverage by being able to break things on a scale.