I have a couple of thoughts about today’s reported compromise of a NPM module.

This is a symptom of yet-another-flaw with “proof of work” systems like Bitcoin.

They reduce the net-cost the asshole-at-the-margin sees to attack systems at every level to steal computing cycles or wallets.

And this is another reason to regulate Bitcoin, and think though the risks that Blockchain introduces.

While stealing Bitcoin was the motive, the opportunity for of the attack was maintainer burnout. The attacker was able to take control of a codebase because someone who wrote a package which became an important part of Node’s ecosystem needed to step away.

We need governance and compensation for maintainers. If you’re at a company and maintain a package the community needs, that work should be accounted for as part of your job description. Packages need succession planning. Maintainers not getting paid need to get paid and we need systems to do that. Tidelift is a market-based answer, but I’d like to see non-market and community-based systems too, since that’s a path to bring people from diverse backgrounds in as maintainers and allow them to make a living at it.

ETA: Hayden Parker from Coinbase wrote a technical review of the compromise which is worth your time.