←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 10 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source | bottom
Show context
cddotdotslash ◴[08 Sep 25 17:05 UTC] No.45170804[source]
NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.
replies(5): >>45170982 #>>45172458 #>>45172566 #>>45173494 #>>45175539 #
1. PokestarFan ◴[08 Sep 25 17:18 UTC] No.45170982[source]
NPM is owned by GitHub and therefore Microsoft, who is too busy putting in Copilot into apps that have 0 reason to have any form of generative AI in them
replies(5): >>45172925 #>>45172926 #>>45173133 #>>45175660 #>>45179454 #
2. Cthulhu_ ◴[08 Sep 25 19:40 UTC] No.45172925[source]
But Github does loads of things with security, including reporting compromised NPM packages. I didn't know NPM is owned by Microsoft these days though, now that I think about it, Microsoft of all parties should be right on top of this supply chain attack vector - they've been burned hard by security issues for decades, especially in the mid to late 90's, early 2000s as hundreds of millions of devices were connected to the internet, but their OS wasn't ready for it yet.
3. bnchrch ◴[08 Sep 25 19:40 UTC] No.45172926[source]
Good god. Not everything has to be about your opinion on AI.
replies(2): >>45173693 #>>45174064 #
4. wutbrodo ◴[08 Sep 25 19:56 UTC] No.45173133[source]
It's not like NPM pre-Microsoft was a paragon of professional management or engineering...
replies(2): >>45174132 #>>45176182 #
5. jay_kyburz ◴[08 Sep 25 20:41 UTC] No.45173693[source]
Actually, they could probably use AI to see if each update to a package looks malicious or obfuscated.
6. PokestarFan ◴[08 Sep 25 21:12 UTC] No.45174064[source]
GitHub was folded into Microsoft's "CoreAI" team. Not very confidence-inspiring.
7. mixologic ◴[08 Sep 25 21:18 UTC] No.45174132[source]
The difference is in the apparent available resources. You cant get to "professional" without the time and money, and NPM post acquisition, presumably, has more of both. Granted, NPM probably doesn't have a revenue model to speak of, which means Microsoft is probably not paying it much attention.
8. andix ◴[08 Sep 25 23:52 UTC] No.45175660[source]
Is it really owned and run by Microsoft? I thought they only provide infrastructure, servers and funding.
9. Maxious ◴[09 Sep 25 01:05 UTC] No.45176182[source]
For those who have forgotten, Microsoft buying npm was basically a community service given npm inc was on the brink of collapsing

https://www.businessinsider.com/npm-ceo-bryan-bogensberger-r...

https://www.businessinsider.com/npm-cofounder-laurie-voss-re...

10. txdv ◴[09 Sep 25 09:04 UTC] No.45179454[source]
Just write a check.md instruction for copilot to check it for malicious acticity, problem solved