I don't love how when someone in China, a country with a billion people, misuses/uses a service cleverly it's a "Chinese dev" and an attack but when it's something that actually breaks npmjs like the everything package it's just some guy like US devs aren't bragging about their "filesystem over YouTube" implementations with blog posts on HN.

> Repository Firewall customers remain safe

lol

From video files?

Labelling a video as malicious code is peak cybersecurity busywork. Have they run out of packages to report ReDoS?

perhaps not terribly relevant to this case, but i remember some videos making the rounds over discord that would crash the app. i think in the end it wasn't malicious, but its not unreasonable to worry that if a video file can cause an app to crash, then what else can it do?

yeah this seems like obvious self promotion

a properly crafted mal-media file will function as media, and carry a payload of malignant code. you only need to be comfortable manipulating headers, and data structure.

This is an amazingly clever use of HLS. I'd hate to be the NPM abuse team right now.

it gets better if they figure out how to cloak the packages so detection as a media file is confounded