March 19, 2022


Ah, NPM has been hit again by another dev putting rogue code in one of his modules. This time to protest the war in Ukraine by deleting files on machines with a Russian IP address.

Of course, this kind of thing could hit all programming languages with a package management system, but it seems to primarily happen with NPM. Why? Simple, JavaScript was never intended to be used for anything but DOM manipulation. It’s a toy programming language without a type system and the lack of that makes it a popular choice for beginners and career jumpers. As a result, there are plenty of programmers out there, who can barely stitch together software by copy&pasting solutions from Stackoverflow (but still insist on being employable, after finishing a coding bootcamp).

When that’s your culture, it follows that your package repository gets littered with tons of trivial modules by obscure developers, looking for a fast and easy way to build a portfolio. Of course, they don’t get the desired exposure, when their module becomes a second or third level dependency in someone else’s project, but they do get leverage by being able to break things on a scale.