←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 10 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source | bottom
1. martypitt ◴[08 Sep 25 16:15 UTC] No.45170121[source]
A super quick script to check the deps in your package-lock.json file is here[0].

[0]: https://gist.github.com/martypitt/0d50c350aa7f0fc73354754343...

replies(2): >>45170178 #>>45170233 #
2. krona ◴[08 Sep 25 16:19 UTC] No.45170178[source]
how about:

grep -r "_0x112fa8"

replies(1): >>45170506 #
3. patates ◴[08 Sep 25 16:23 UTC] No.45170233[source]
aren't these already nuked and show up in the "npm audit" command?
replies(2): >>45170271 #>>45170303 #
4. martypitt ◴[08 Sep 25 16:26 UTC] No.45170271[source]
Nice - that's even better - thanks! TIL.
5. epmatsw ◴[08 Sep 25 16:29 UTC] No.45170303[source]
Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.

https://github.com/github/advisory-database/issues/6098

replies(1): >>45172842 #
6. 9dev ◴[08 Sep 25 16:42 UTC] No.45170506[source]
Irritatingly, this doesn't turn up anything, despite having a theoretically-compromised project as per the package-lock.json… At least on my end
replies(2): >>45170718 #>>45172597 #
7. mewpmewp2 ◴[08 Sep 25 16:58 UTC] No.45170718{3}[source]
What do you mean irritatingly? Do you mean that you think 'grep -r "_0x112fa8"' is not enough or are you irritated that npm audit is flagging as if it was compromised?
replies(1): >>45171802 #
8. 9dev ◴[08 Sep 25 18:15 UTC] No.45171802{4}[source]
I'm irritated because I expected to find at least one compromised file, but there were none. It may be, though, that we only use the affected packages as transitive development dependencies, in which case they are not installed locally. But a sliver of doubt remains that I missed something.
9. AgentME ◴[08 Sep 25 19:15 UTC] No.45172597{3}[source]
If you had the dependency installed before this attack, then you would still be pinned to an old safe version.
10. brycewray ◴[08 Sep 25 19:34 UTC] No.45172842{3}[source]
“Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now...

    "overrides": {
      "chalk": "5.3.0",
      "strip-ansi": "7.1.0",
      "color-convert": "2.0.1",
      "color-name": "1.1.4",
      "is-core-module": "2.13.1",
      "error-ex": "1.3.2",
      "has-ansi": "5.0.1"
    }
EDIT: This comment[1] suggests `npm audit` issue has now been resolved.

[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...

[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...