NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0.014s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

dist-epoch ◴[08 Sep 25 16:09 UTC] No.45170028[source]▶

Given that most of these kind of attacks are detected relatively quickly, NPM should implement a feature where it doesn't install/upgrade packages newer than 3 days, and just use the previous version.

replies(3): >>45170138 #>>45170232 #>>45170382 #

1. mcintyre1994 ◴[08 Sep 25 16:16 UTC] No.45170138[source]▶

>>45170028 #

Would it be spotted quickly if nobody got the update though? It'd probably just go undetected for 3 days instead. In this case one team spotted it because their CI picked up the new version (https://jdstaerk.substack.com/p/we-just-found-malicious-code...).

replies(1): >>45170482 #

2. skybrian ◴[08 Sep 25 16:41 UTC] No.45170482[source]▶

>>45170138 (TP) #

The question is who picks up the vulnerable version first. With minimal version selection (like Go has), the people with a direct dependency on the vulnerable library go first, after running a command to update their direct dependencies. People with indirect dependencies don’t get the new version until a direct dependency does a release pointing at the vulnerable version, passing it on.

Not sure if that would be a better result in the end. It seems like it depends on who has direct dependencies and how much testing they do. Do they pass it on or not?

↑