←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0.444s | source
Show context
alaintno ◴[08 Sep 25 14:37 UTC] No.45168876[source]
How is it possible that this code (line 9 of the index.js) isn't present in the source github repo, but can be seen in the beta feature of npmjs.com?

Also, the package 1.3.3 has been downloaded 0 times according to npmjs.com, how can the writer of this article has been able to detect this and not increment the download counter?

replies(2): >>45168982 #>>45172960 #
1. DDerTyp ◴[08 Sep 25 14:45 UTC] No.45168982[source]
The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.

replies(2): >>45169024 #>>45169408 #
2. alaintno ◴[08 Sep 25 14:48 UTC] No.45169024[source]
I see, thanks for the explanations, and thanks for warning us about this!
3. Jenk ◴[08 Sep 25 15:18 UTC] No.45169408[source]
It can also be that the repo was modified after a release.