←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0.645s | source
Show context
inbx0 ◴[27 Aug 25 14:33 UTC] No.45040282[source]
Periodic reminder to disable npm install scripts.

    npm config set ignore-scripts true [--global]
It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work without them. For those that don't, you can create a separate installation script to your project that cds into that folder and runs their install-script.

I know this isn't a silver bullet solution to supply chain attakcs, but, so far it has been effective against many attacks through npm.

https://docs.npmjs.com/cli/v8/commands/npm-config

replies(17): >>45040489 #>>45041292 #>>45041798 #>>45041820 #>>45041840 #>>45042872 #>>45043977 #>>45045311 #>>45045447 #>>45045979 #>>45046082 #>>45046981 #>>45047430 #>>45047994 #>>45049197 #>>45049793 #>>45050820 #
halflife ◴[27 Aug 25 15:49 UTC] No.45041292[source]
This sucks for libraries that download native binaries in their install script. There are quite a few.
replies(2): >>45043190 #>>45046036 #
1. lrvick ◴[27 Aug 25 22:18 UTC] No.45046036[source]
Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.

replies(1): >>45046109 #
2. oulipo2 ◴[27 Aug 25 22:26 UTC] No.45046109[source]
Sure, but then you need to have a way to whitelist
replies(1): >>45048400 #
3. lrvick ◴[28 Aug 25 04:33 UTC] No.45048400[source]
The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.