Malware found on NPM infecting local package with reverse shell

[fc417fc802]

I'm mostly on board with that dichotomy except that I think it's also important that all fetched artifacts either come from a VCS or are similarly cryptographically versioned and all historical versions made available in a reliable manner.

[robinsonb5]

Yes, absolutely - I can't disagree with that.