←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 4 comments | 08 Sep 25 15:37 UTC | HN request time: 0.647s | source
Show context
martypitt ◴[08 Sep 25 16:15 UTC] No.45170121[source]
A super quick script to check the deps in your package-lock.json file is here[0].

[0]: https://gist.github.com/martypitt/0d50c350aa7f0fc73354754343...

replies(2): >>45170178 #>>45170233 #
1. patates ◴[08 Sep 25 16:23 UTC] No.45170233[source]
aren't these already nuked and show up in the "npm audit" command?
replies(2): >>45170271 #>>45170303 #
2. martypitt ◴[08 Sep 25 16:26 UTC] No.45170271[source]
Nice - that's even better - thanks! TIL.
3. epmatsw ◴[08 Sep 25 16:29 UTC] No.45170303[source]
Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.

https://github.com/github/advisory-database/issues/6098

replies(1): >>45172842 #
4. brycewray ◴[08 Sep 25 19:34 UTC] No.45172842[source]
“Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now...

    "overrides": {
      "chalk": "5.3.0",
      "strip-ansi": "7.1.0",
      "color-convert": "2.0.1",
      "color-name": "1.1.4",
      "is-core-module": "2.13.1",
      "error-ex": "1.3.2",
      "has-ansi": "5.0.1"
    }
EDIT: This comment[1] suggests `npm audit` issue has now been resolved.

[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...

[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...