←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.211s | source
Show context
inbx0 ◴[27 Aug 25 14:33 UTC] No.45040282[source]
Periodic reminder to disable npm install scripts.

    npm config set ignore-scripts true [--global]
It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work without them. For those that don't, you can create a separate installation script to your project that cds into that folder and runs their install-script.

I know this isn't a silver bullet solution to supply chain attakcs, but, so far it has been effective against many attacks through npm.

https://docs.npmjs.com/cli/v8/commands/npm-config

replies(17): >>45040489 #>>45041292 #>>45041798 #>>45041820 #>>45041840 #>>45042872 #>>45043977 #>>45045311 #>>45045447 #>>45045979 #>>45046082 #>>45046981 #>>45047430 #>>45047994 #>>45049197 #>>45049793 #>>45050820 #
1. oulipo2 ◴[27 Aug 25 22:22 UTC] No.45046082[source]
Does it work the same for pnpm ?