Since Shai-Hulud scanned maintainers' computers, if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?
That is, how does signing prevent publishing of malware, exactly?
Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.
Exactly! I hate to say this because it makes me sound like a tech elitist, but some people really do need those warnings because they can't tell what website they're on.
See the ReadWriteWeb article that had to put a big "this is not Facebook" notice on it.