Josh Junon said he didn’t feel the weight of maintaining software with 2.6 billion weekly downloads until it came crashing down on him earlier this month.
Junon is a maintainer of wildly popular open-source software packages distributed via npm, including a ubiquitous JavaScript debug package.
But then he fell victim to a convincing phishing attack on September 8 – attackers going on to poison his repositories with crypto-mining malware.
The incident was caught within two hours and less than $1,000 of cryptocurrency was stolen, but the scale of the potential fallout was a blunt reminder of the risk of open-source supply chain attacks.
(JFrog said the malicious packages were downloaded over 2 million times, while Wiz said that 10% of cloud environments were impacted by the attack; with 99% relying on at least one package in Junon’s profile.)
Hobby to 2.6 billion weekly downloads
Junon has been maintaining a growing profile of packages on npm for nearly a decade. He started programming at nine years old and got into HTML “very, very early.” He said when Node came out, he was hooked.
The coder wanted to write command lines in color and discovered Sindre Sorhus’s chalk package. After enough pull requests, Sorhus asked Junon to join as a maintainer. His hobby “over time just kind of calcified into this backbone of a lot of the infrastructure that we have today.”
Speaking to The Stack, Junon said the scale didn’t hit him until the attack.
