This morning, soon after I got to work, one of my favorite coworkers sent me a direct message on Slack. They had heard a lot of discussion yesterday in our internal #front-end-devs channel about a malicious script making its way into an npm package called eslint-scope. After following the chat and reading the issue report on Github, they could tell that the attack exposed a vulnerability in the npm package ecosystem, and that the purpose of it was to harvest the contents of .npmrc files. They had a simple question:
why would someone steal npm credentials? what are they good for?
This coworker of mine is very smart, and if they didn't know the answer to this question, I thought it might be possible that other folks didn't know it, either.