I Peeked Into My Node_Modules Directory And You Won’t Believe What Happened Next
Jordan Scales
6.6K573

I’m … a bit skeptical here. Two points:

  1. The yummy package doesn’t include any file called like-tweet.js. From what I can tell, it never did. Even if it did, the file snippet posted wouldn’t actually like the tweet presented because it’s not passing any sort of credentials to the API.
  2. I tried finding a hidden Guy Fieri image in Babel, and it’s not there. Not on GitHub. Not on NPM. Not on copies of Babel I installed last January. It doesn’t exist.

My suspicion is that either the author’s installation itself has been hacked in some way (thus the nefarious code) or the author wrote this as a sad joke. I hope it’s the later, but if so, it’s in really bad taste.

The end users of JS applications don’t always understand how things are running under the hood. Publishing articles claiming devs are releasing code that abuses Twitter settings, ships unwanted image assets, or unnecessarily bundles encyclopedias will terrify them, and rightly so. But the net effect it has is in reducing consumer trust towards the developers of JS-based applications.

And that is not ok.

Show your support

Clapping shows how much you appreciated Eric Mann’s story.