You have no idea how how bad this really is.
Related videos
This is bad...
Theo - t3․gg
104.3k views
AI Is Hacking Everything Now...
Theo - t3․gg
82.0k views
HOW IS THIS REAL???
Timcast
119.1k views
I don’t really like GPT-5.5…
Theo - t3․gg
132.8k views
Open source is dead now?
Theo - t3․gg
82.2k views
THIS IS ABOUT TO GET REALLY BAD
Timcast
96.6k views
gpt-5.4 is really, really good
Theo - t3․gg
153.7k views
Trump actually threatened Anthropic (this is bad…)
Theo - t3․gg
84.3k views
Clawdbot has gone rogue (I can't believe this is real)
Theo - t3․gg
134.0k views
It’s So So So Over (You Have No Idea How Over It Is) | The Kyle Kulinski Show
Secular Talk
651.3k views
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Related videos
This is bad...
Theo - t3․gg
104.3k views
AI Is Hacking Everything Now...
Theo - t3․gg
82.0k views
HOW IS THIS REAL???
Timcast
119.1k views
I don’t really like GPT-5.5…
Theo - t3․gg
132.8k views
Open source is dead now?
Theo - t3․gg
82.2k views
THIS IS ABOUT TO GET REALLY BAD
Timcast
96.6k views
gpt-5.4 is really, really good
Theo - t3․gg
153.7k views
Trump actually threatened Anthropic (this is bad…)
Theo - t3․gg
84.3k views
Clawdbot has gone rogue (I can't believe this is real)
Theo - t3․gg
134.0k views
It’s So So So Over (You Have No Idea How Over It Is) | The Kyle Kulinski Show
Secular Talk
651.3k views
Top Comments (10)
When I came to the node world about 8 years ago, I immediately identified post and pre install scripts as a big weakness. It's honestly unbelievable that EVERY npm package can just decide to run whatever. How is this still allowed in npm by default?
This is why you don't update and deploy to _prod_ just before everyone leaves for a long holiday weekend.
It will happen again unless developers see checking random third-party library codes as important as indentation. All unaudited third-party code should be treated as malware unless proven otherwise.
"The PR making this change was merged on the 11th of September". 9/11, the prelude
It's crazy that other package registries didn't get news like this
maybe the webdev world will finally realize that infinite libraries lead to infinite attack vectors?
Theo never watched Dune. shame
That is scary. I wrote a npm.cmd that runs all npm commands in a clean docker container and uninstalled node from my host machine. Yeah, it's slower and I have to map some ports, but at least I am not gonna be pwnt. I basically treat NPM as dangerous by default.
Thanks Theo. This information is extremely valuable. I feel bad for the people whose packages have been exploited.
At this point, you can release a npm hack video once a month
Unlock the Data Inside
Turn Videos into Knowledge
- Get FREE 10/day: transcripts, summaries, chats
- Chat with videos, export text & PDF
- $1 free API credit for RAG, chatbots & research
Free forever plan • All features unlocked
Top Comments (10)
When I came to the node world about 8 years ago, I immediately identified post and pre install scripts as a big weakness. It's honestly unbelievable that EVERY npm package can just decide to run whatever. How is this still allowed in npm by default?
This is why you don't update and deploy to _prod_ just before everyone leaves for a long holiday weekend.
It will happen again unless developers see checking random third-party library codes as important as indentation. All unaudited third-party code should be treated as malware unless proven otherwise.
"The PR making this change was merged on the 11th of September". 9/11, the prelude
It's crazy that other package registries didn't get news like this
maybe the webdev world will finally realize that infinite libraries lead to infinite attack vectors?
Theo never watched Dune. shame
That is scary. I wrote a npm.cmd that runs all npm commands in a clean docker container and uninstalled node from my host machine. Yeah, it's slower and I have to map some ports, but at least I am not gonna be pwnt. I basically treat NPM as dangerous by default.
Thanks Theo. This information is extremely valuable. I feel bad for the people whose packages have been exploited.
At this point, you can release a npm hack video once a month