←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0.615s | source
1. nicoritschel ◴[27 Aug 25 15:49 UTC] No.45041302[source]
One of my projects uses an impacted version. However, we use bun as a package manager. Thrilled bun protected us by default!

> executing arbitrary scripts represents a potential security risk, so—unlike other npm clients—Bun does not execute arbitrary lifecycle scripts by default.

replies(1): >>45041417 #
2. ec109685 ◴[27 Aug 25 15:58 UTC] No.45041417[source]
Can’t the exploit just be encoded in files that are used when the npm module is actually used?

It seems like not running it at package install time doesn’t afford that much protection.

replies(1): >>45041533 #
3. bapak ◴[27 Aug 25 16:07 UTC] No.45041533[source]
Correct. Pretty limited as a protection when the first thing you do after installing a package is running it.

Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line.