Rui Carmo
The consummate idiot who hacked node-ipc to wipe data from Russian systems apparently managed to wipe all the war crime data an American NGO was collecting on the conflict, causing irreparable damage to their operations and losing 30.000 pieces of evidence.
Whether or not that data loss actually happened (folk are already saying the NGO does not actually exist), the package was shipped with destructive behavior, and, later, a “less harmful” fix.
This is not incompetence, it is deliberate malice (ok, and enough stupidity to implement it badly). This kind of irresponsible behavior (and lack of overall quality control) is why I don’t really trust the JavaScript ecosystem for anything and isolate or containerize development environments, builds and deployments.
But the problem doesn’t stop with package maintainers. The entire system, from development ethos to package auditing, vetting and distribution, is broken.
No matter how “good” your intentions are, doing this kind of shit ought to be enough for getting you permanently banned from publishing software, and I’m constantly (not) surprised at the fact that npm is the only ecosystem where these things just keep happening.
When’s the last time you got a Python, Go or Java package that did this kind of thing by design?