The npm attacks / What defines a "vulnerability" ?

[sebilasse]

Not sure if this is only about "hard-hacking vulnerabilities" or also if packet managers become a target for crazy "soft-hacks" – an example

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

given that this repo was used in several "boilerplate" projects which people actively used we should assign fancy names for such viciousness too.

[hannob]

I'm with you that this is a serious issue, but part of the point I'm trying to make is that the marketed vulns get all the attention with often not being relevant, so this kinda doesn't fit in as there was no marketing and not that much public attention