←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
inbx0 ◴[27 Aug 25 14:33 UTC] No.45040282[source]
Periodic reminder to disable npm install scripts.

    npm config set ignore-scripts true [--global]
It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work without them. For those that don't, you can create a separate installation script to your project that cds into that folder and runs their install-script.

I know this isn't a silver bullet solution to supply chain attakcs, but, so far it has been effective against many attacks through npm.

https://docs.npmjs.com/cli/v8/commands/npm-config

replies(17): >>45040489 #>>45041292 #>>45041798 #>>45041820 #>>45041840 #>>45042872 #>>45043977 #>>45045311 #>>45045447 #>>45045979 #>>45046082 #>>45046981 #>>45047430 #>>45047994 #>>45049197 #>>45049793 #>>45050820 #
johnisgood ◴[28 Aug 25 08:26 UTC] No.45049793[source]
At this point why not just avoid npm (and friends) like the plague? Genuinely curious.
replies(1): >>45050476 #
1. ifwinterco ◴[28 Aug 25 10:27 UTC] No.45050476[source]
I work for a company that needs to ship software so my salary can get paid
replies(1): >>45050821 #
2. johnisgood ◴[28 Aug 25 11:22 UTC] No.45050821[source]
Can't you guys replace the most vulnerable parts with something better? I have been experimenting with Go + Fyne, it is pretty neat, all things considered.
replies(1): >>45051811 #
3. ◴[28 Aug 25 13:18 UTC] No.45051811[source]