←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0.212s | source
1. DrNosferatu ◴[27 Aug 25 14:40 UTC] No.45040380[source]
And how’s the situation with Bun?
replies(2): >>45041350 #>>45043013 #
2. nicoritschel ◴[27 Aug 25 15:53 UTC] No.45041350[source]
All good https://news.ycombinator.com/item?id=45041302
3. lioeters ◴[27 Aug 25 18:11 UTC] No.45043013[source]
From: https://bun.sh/docs/install/lifecycle

> Packages on npm can define lifecycle scripts in their package.json. These scripts are arbitrary shell commands that the package manager is expected to read and execute at the appropriate time.

> But executing arbitrary scripts represents a potential security risk, so — unlike other npm clients — Bun does not execute arbitrary lifecycle scripts by default.