31·
8 days agoThat sounds more like bad practices from the community. It definitely has ways to use exact versions. Not the least of which the lock file. Or the shrinkwrap file which public packages should be using.
LurkingLuddite
- 0 Posts
- 6 Comments
Joined 3 months ago
Cake day: February 4th, 2026
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Genuine question. How is NPM more vulnerable than other repos? Haven’t similar supply chain attacks succeeded at least as well as this one through GitHub itself and even Linux package repos?
9·2 months agoNahh, this seems exactly like something that would happen from advanced text predictors, which is exactly what ALL of these LLM “AI” are. The instructions are in English, no doubt. Of course there is a strong association with English words despite, “in Mexican” surely being somewhere in the “instructions”.
This is just more ELIZA effect in action… Fucking braindead execs/etc failing to understand that it is literally just advanced text prediction that’s fed through a TTS “AI” driven system, that’s surely given just as tenuouse of a connection to Spanish as the text predictor…
(I know your comment seems aware of that fact given the AGI slamming, I just had to vent in a way that describes why it’s such bullshit)
16·2 months agoELIZA effect in full swing… Humans really are gullible.
It’s working great to convince moronic executives to leave Windows when it fucks up majorly due to AI coding, which is a win for everyone.
I wouldn’t say pulling in higher versions is unsafe unless an attack like this succeeds. Otherwise it’s only an annoyance.