The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," and they were distributed across specific version ranges
Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?
You would have to really go out of your way to get infected by stuff like this.
That being said, there are things npm could do to try to auto-detect "risky" packages (new, similar name to existing projects, few downloads, etc.) and require an additional layer of confirmation, or something like that.
It’s misleading because it’s irrelevant and makes it sound like a platform breach.
Try replacing Roblox with “Foozsplatz” and the implication of severity is completely different, even though the nature of what is being reported is unchanged.
I'm confused, in this hypothetical is Foozsplatz a non sense word or is it meant to be a game like Roblox? If you mean the first, then yeah, obviously replacing a proper noun with gibberish changes the implication. If you mean the second then no, it would have the same implication.
It literally doesn’t matter. You can remove the word and the nature of the problem being discussed is still the same. What platform is being targeted has nothing to do with the example problem. Roblox is only mentioned to sensationalize it and get clicks.