On September 8th, 18 npm packages were compromised with malicious code. These packages are very popular. They receive an average of 2 billion downloads every week. If you are not sure whether you are affected, you can run this grep command on your repository to search for the malicious code:
grep -r _0x112fa8 .
If it returns any results, you are in trouble. It's already concerning that this hack was only possible through social engineering, but it targeted the type of person who would be the most vigilant. This is to say, if maintainers of extremely popular npm packages can fall for phishing, you need to exercise extreme vigilance.
But there is also another issue going unnoticed: 2 billion downloads a week. Whenever we run our pipelines, we run npm i or npm ci. This is common practice, and it is also how we end up with compromised code, or broken builds when we know that our pre-build code is safe. Before we build our code, we download all packages from the internet. We place our trust in the package manager and hope for the best. But why do we need to redownload code every single time?
Close to a decade ago, the programmer who published the left-pad library on NPM decided to delete his code. This was a trivial library that solved a trivial problem. But since thousands of other repositories depended on it, the deletion broke the build process of thousands of other projects. A large part of the tech industry ground to a halt as NPM scrambled to revive the package. None of these projects were downloading left-pad for the first time, why didn't they just cache it?
Why don't we all cache it? Why do we redownload the same packages over and over several times a day with the potential of injecting security vulnerabilities? Why do these packages need to be downloaded 2 billion times a week, when they change only a handful of times? Do we even need the latest versions without vetting them first?
Maybe it is time to revisit this practice. We need to download packages once and reuse them until we manually update them. This is not an unavoidable problem. We can resolve it. There is no need for packages to be downloaded 2 billion times in one week, thrown away, then redownloaded again. It's a waste of bandwidth and a point of entry for security vulnerabilities.