- The company is smaller and/or already geo-distributed and doesn't have the ability (or awareness) to monitor employee locations or deal with the tax/compliance obligations and so turns a blind eye, intentionally or not. The employees are generally operating in a grey area - either on tourist visas or for a company that isn't registered to employee people in their locale.
- The company actively creates a remote-first environment, working with their employees to employ them (compliantly) in their locale, usually through a third-party employer of record. These are very few and far between, but they exist.
- Companies, like Airbnb, that allow for a certain amount of time outside of a "home locale" per year (IIRC, it's 90 days). This isn't truly "global remote" but employees can move around more freely than in-office or locale-only employers.
I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.
Aikido says:
> We were alerted to a large-scale attack against npm...
Socket says:
> Socket.dev found compromised various CrowdStrike npm packages...
Ox says:
> Attackers slipped malicious code into new releases...
Safety says:
> The Safety research team has identified an attack on the NPM ecosystem...
Phoenix says:
> Another supply chain and NPM maintainer compromised...
Semgrep says:
> We are aware of a number of compromised npm packages
NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.
- The company is smaller and/or already geo-distributed and doesn't have the ability (or awareness) to monitor employee locations or deal with the tax/compliance obligations and so turns a blind eye, intentionally or not. The employees are generally operating in a grey area - either on tourist visas or for a company that isn't registered to employee people in their locale.
- The company actively creates a remote-first environment, working with their employees to employ them (compliantly) in their locale, usually through a third-party employer of record. These are very few and far between, but they exist.
- Companies, like Airbnb, that allow for a certain amount of time outside of a "home locale" per year (IIRC, it's 90 days). This isn't truly "global remote" but employees can move around more freely than in-office or locale-only employers.