but if you `cd project && npm install compromised-package` then compromised-pack... | Hacker News

HN2new | past | comments | ask | show | jobs | submit

		internet_points 76 days ago \| parent \| context \| favorite \| on: GitLab discovers widespread NPM supply chain attac... but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?

tinodb 74 days ago [–]

Yes, but I guess that is still much better than that it can read all your .env files on your machine

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact