@weng said in Node.js trojans in the wild: @unperverted-vixen said in Node.js trojans in the wild: @weng said in Node.js trojans in the wild: It annoys my team that I won't let them have unfettered access to nuget.org. Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me... The problem with them still having access to NuGet.org: what's stopping them from dropping the package in a file share, and adding that as a package source in NuGet.config? They aren't that creative Murder. I mean, that scenario is basically the same as "what if they copy and paste a virus into the code from StackOverflow?"