[15:54:32] <Reedy>	 https://twitter.com/lukejacksonn/status/1131506699356037121
[15:54:33] <Reedy>	 rofl
[15:54:40] <Reedy>	 Krinkle: ^ You'll love that one
[16:05:57] <Krinkle>	 Reedy: Unsurprising but no less delicious. Thanks :)
[16:13:06] <Krinkle>	 Reedy: Actually, the package is not as bad as I thought. The worse way would have avoided the incident interestingly.
[16:13:44] <Krinkle>	 I was assuming it to be a no-op package on npm, that used package.json#scripts.preinstall to run an arbitrary shell command during installation, where it could gracefully ping a server form a 1-line js script.
[16:15:11] <Krinkle>	 Instead, the package on npm is really empty, not even a 1-line script that runs an http request. The way they did it is instead to tell users of the package to not install it via npm, but to add to their /downstream/ package.json an override that makes it install the empty package from a custom url. Kind of like how in Composer you can add packages from an arbitrary git url. Then that git url just served an entry repo, but they used the network
[16:15:11] <Krinkle>	 request for stats.
[16:15:25] <Krinkle>	 Simpler to some extent, but also way more fragile as a result.