(github.com)

441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.204s | source

https://semgrep.dev/blog/2025/security-alert-nx-compromised-...

Show context

neya ◴[27 Aug 25 18:16 UTC] No.45043071[source]▶

>>45034496 (OP) #

Just a normal day in Javascript land.

laughs in elixir

replies(1): >>45051129 #

1. christophilus ◴[28 Aug 25 12:04 UTC] No.45051129[source]▶

>>45043071 #

It’s not like Hex has some magical way of only downloading non-malicious packages.

If Hex gets popular enough, it will happen there, too. Even if the install process doesn’t run arbitrary code, when you actually load the library, it can do stuff, so I don’t see any reason to gloat.

↑

Malicious versions of Nx and some supporting plugins were published