‘No way to prevent this,’ says only package manager where this regularly happens

“无法预防，”这是唯一经常发生此类事件的包管理器所给出的回应

SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable. 加利福尼亚州旧金山——在 npm 仓库发生了一起毁灭性的供应链攻击，导致数百万个企业应用程序受到威胁、数十亿条用户记录泄露之后，整个 JavaScript 生态系统的开发者们今天表达了深切的悲痛，感叹这种危机是完全无法避免的。

“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “这太遗憾了，但你能怎么办呢？这就是构建现代 Web 应用的代价，”高级前端工程师 Mark Vance 说道。他代表了一个完全依赖于由匿名陌生人维护、深达 40 层的未经审查的嵌套包树来完成诸如“将字符串首字母大写”这类简单任务的社区的心声。

“There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.” “根本无法预见或阻止某人接管一个长期废弃的工具包，并将加密货币挖矿程序注入到全球每一个生产构建中。这简直就像自然灾害一样。”

At press time, residents of the Node.js ecosystem stood unified in their belief that the malicious remote-code execution was a completely unpredictable tragedy, offering their thoughts and prayers to the DevOps teams currently scrambling to rotate their corporate AWS keys. 截至发稿时，Node.js 生态系统的成员们一致认为，这次恶意远程代码执行是一场完全不可预测的悲剧，并向那些目前正忙于轮换公司 AWS 密钥的 DevOps 团队表达了慰问和祈祷。

Interestingly, developers in ecosystems like Go, Rust, and those utilizing native Web APIs—where robust standard libraries drastically reduce reliance on third-party code and strict cryptographic verification is built into the core toolchain—reported zero instances of a college dropout’s weekend project wiping out global logistics infrastructure today. 有趣的是，在 Go、Rust 等生态系统以及那些利用原生 Web API 的开发者中——这些生态系统拥有强大的标准库，极大地减少了对第三方代码的依赖，且核心工具链中内置了严格的加密验证——今天报告称，没有发生任何一起因某个大学辍学生的周末项目而导致全球物流基础设施瘫痪的事件。

“It’s devastating, but we have to accept that we live in a world where bad actors exist. There are no registry policies or build-sandbox guardrails we could possibly enforce to stop it,” said an npm spokesperson, standing in front of an open-source registry that happily executes arbitrary installation scripts on local machines by default. “这令人痛心，但我们必须接受我们生活在一个存在恶意行为者的世界里。我们不可能通过任何仓库政策或构建沙箱防护措施来阻止它，”一位 npm 发言人说道。此时，他正站在一个默认情况下就会在本地机器上愉快地执行任意安装脚本的开源仓库前。

“Our hearts go out to the victims. Until the next inevitable breach tomorrow morning, we must simply remain resilient.” “我们向受害者表示慰问。在明天早上下一场不可避免的漏洞爆发之前，我们只能保持坚韧。”