SEE: 10 signs you might be working for the wrong company (free PDF) (TechRepublic)
NPM’s track record for security and corporate governance has been dicey—the infamous left-pad incident was prompted by npm, inc., following their acquiescence to demands from lawyers representing the messaging service Kik demanding that an unrelated package be renamed. After the author of the package declined, npm, inc. reassigned the package to Kik, prompting the original author to unpublish every other package they owned, breaking downstream programs that required those packages, with a 575,000 using the left-pad package.
Noted programmer David Gilbertson takes issue with importing third-party packages for obvious reasons, noting in a Medium essay that “we live in an age where people install npm packages like they’re popping pain killers.”
Last November, a hacker socially engineered their way into getting control of the event-stream package. That was leveraged by the malicious package maintainer to insert obfuscated code used to steal cryptocurrency wallet information. Baldwin previously characterized this to TechRepublic as a “cat and mouse game” which is “difficult when you have 100,000 mice out there.”
From a corporate governance standpoint, npm, inc. has taken heat throughout most of 2019 for layoffs affecting five employees, following the formal announcement of new CEO Bryan Bogensberger, who has been accused of replacing existing staffers with people from a startup that Bogensberger exited.