Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.
According to the official report, the root cause of the incident was the mistaken decision to remove the user floatdrop and make all of their packages undiscoverable and blocked. This decision was driven by the publication of a package containing spam that also included the README for floatdrop’s legitimate package timed-out
