Comment Re:Why is NPM such a target? (Score 2) 21
Because it is so easy and very effective.
The JS community has streamlined and simplified pulling packages from a remote repo and automatically incorporating them into your build.
The community has also encouraged a strong reliance on using libraries as the first answer to solving a problem (see left-pad).
There is no review or verification process for these remote packages. NPM provides no quality feedback mechanisms like an issue count or comment facility, just a report malware button.
From the outside, the management of NPM has historically been bad. Such as the kik/left-pad issue.
This management doesn't seem to have improved. During the acquisition one of the few things Github said that they wanted to do was introduce 2FA to NPM.
Their response to these security issues eighteen months later is that they intend to introduce 2FA.
This isn't unique to Javascript/NPM, Python has many of the same issues but to a lesser extend. I think the library culture actually started with Perl and CPAN.