It seems like every week there's another story of NPM packages being hacked, hacking developer machines, or just mining crypto currency for the fun and profit of it all. Thankfully a new report states that NPM is more secure than ever. An average of only 1 in 3 packages knowingly containing malware.
After a tumultuous year of attacks like Shai-Hulud, Shai-Hulud 2.0, Mini Shai-Hulud and an unending supply of phishing campaigns, the security improvements made by GitHub/Microsoft are starting to pay off.
The NPM team said in their celebratory blog post, "We had an unconventional idea. If we made people check a box on package upload stating their package does not contain malicious code, it might reduce the total malware uploaded. After implementing the change for accounts with less than 2 packages, we saw a dramatic drop in new malware. We plan to roll it out to all users in the next 12 months."
Some users celebrated the news by posting online. "I bet Rust Crates can't say the same! Or Go Modules! Or Python's Pip! Or C# nuggets!"
But not all anonymous internet users were excited about the news. "I guess it's better. But it's not the NPM I grew to love. This new world...well, it's changing. And it'll take time to get used to."
We're glad NPM is becoming more secure and wish its engineering team the best after Microsoft laid off all but 1 developer on the team.
Update: The above report was determined to be inaccurate. The numbers were generated by an A.I. model. The real ratio is still being calculated, but current estimates put it at 1 in 1.8 packages. Which is still more secure than ever, and a milestone worth celebrating.