Already looking forward to receiving all the spam calls.

GenDigital is the new name of Symantec?

I never know whether they are the creators of or the protectors against malware.

What are your thoughts? IMO the concept of protecting executions of an AI agent sounds like a good idea, right?

I trust most foreign governments more than the US government though…

This article talks about “typosquating”, that just means they introduced packages with a similar name to other packages but in this case also containing malicious code.

I expect other package managers to be just as vulnerable to this. The only way I can think of to mitigate this is very strict registry policies, someone checking all version of all packages in the registry to make sure there is no malicious code in them. That would take a lot of effort.

I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.

I don’t believe yarn is any more secure than npm, especially not for this type of attack. Yarn used to be a bit more secure because it checked checksums where npm didn’t, but that has been added to npm as well now (https://sebhastian.com/npm-err-code-eintegrity/)