Follow
Fortunately, spread of trojanized packages is limited to newly built applications only because nobody updates NPM libs anyway π€·ββοΈ
So as long everyone sticks to the tried strategy of "lets hold and wait if others get infected" we don't need any package signatures etc #security
https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/
