alt Hacker News> since a bunch of people responding with "every package manager can be hit!!!" npm, by design, allows all packages to run package supplied arbitrary code as the logged-in user after an update completes.
This is semi-common and in no way unique to NPM.
Replies
an0malous • today at 2:45 PM
What other package managers do this? I don’t think Ruby does
➕ show 3 replies
matheusmoreira • today at 2:52 PM
You're right. I said the same thing and got downvoted too. Don't let it discourage you.
And even in the ones that don't, having to wait until the project executes to begin its attack is a minor inconvenience for malware.