<https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/> This article list six cases of malware contributed to npm (the repo for sharing node.js and JavaScript source). How many undetected cases exist? I've alway pretended that Linux distros vet their code. I'm not sure how true that is. Probably the greatest protection is the time delay between contribution and distribution. I wonder what can be done about this problem. I've said so at our meetings a few times too. Of course the problem is worse with closed source: it is impossible to audit the source. But closed source might have fewer contributors and more supervision. Of course much closed soure is built on top of open source and thuse all its weakness