Good eyes, but this looks like it may be a red herring. That is a fork of the `s... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		eropple on Nov 26, 2018 \| parent \| context \| favorite \| on: Backdoor in event-stream library dependency Good eyes, but this looks like it may be a red herring. That is a fork of the `scrypt` package, canonically found here: https://www.npmjs.com/package/scrypt With one maintainer, Barry Steyn, whose referenced repo is here: https://github.com/barrysteyn/node-scrypt Somebody would have to pick it up from a git URL, I think. (Maybe they could typosquat, but we'd have to find that first.)

rdtsc on Nov 26, 2018 [–]

Yeah it looks mostly like a copy and saw most commits are not by that user, but the user has made some commits and not being familiar with how NPM packages work too well, thought I'd drop a warning here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact