Zach Schneider:

If you work with JavaScript at all, you probably saw a ton of noise yesterday about a vulnerability in the event-stream npm package. Unfortunately, the actual forensic analysis of the issue is buried under 600+ comments on the GitHub issue, most of which are just people flaming about the state of npm, open source, etc. I thought that was a shame, because the vulnerability was actually exceptionally clever and technically interesting, and teaches some important lessons about maintaining security in JavaScript applications. So I decided to write an explainer detailing what happened, how the attack worked, and how the JavaScript community can better defend against similar attacks in the future.

My bitcoin has lost 80¢ to the dollar since I bought it, so I don’t know why anybody would bother stealing it.1 But the technical write-up by Zach on exactly how the developer pulled this heist off is fascinating.


  1. Just kidding. I get it. Twenty cents is still twenty cents! ↩︎