The consummate idiot who hacked
node-ipc to wipe data from Russian systems apparently managed to wipe all the war crime data an American NGO was collecting on the conflict, causing irreparable damage to their operations and losing 30.000 pieces of evidence.
Whether or not that data loss actually happened (folk are already saying the NGO does not actually exist), the package was shipped with destructive behavior, and, later, a “less harmful” fix.
But the problem doesn’t stop with package maintainers. The entire system, from development ethos to package auditing, vetting and distribution, is broken.
No matter how “good” your intentions are, doing this kind of shit ought to be enough for getting you permanently banned from publishing software, and I’m constantly (not) surprised at the fact that
npm is the only ecosystem where these things just keep happening.
When’s the last time you got a Python, Go or Java package that did this kind of thing by design?