←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
simpaticoder ◴[08 Sep 25 16:41 UTC] No.45170488[source]
I've come to the conclusion that avoiding the npm registry is a great benefit. The alternative is to import packages directly from the (git) repository. Apart from being a major vector for supply-chain attacks like this one, it is also true that there is little or no coupling between the source of a project and its published code. The 'npm publish' step takes pushes local contents into the registry, meaning that a malefactor can easily make changes to code before publishing.
replies(5): >>45170843 #>>45171235 #>>45171399 #>>45172081 #>>45175895 #
1. aabbccsmith ◴[08 Sep 25 17:47 UTC] No.45171399[source]
npm's recent provenance feature fixes this, and it's pretty easy to setup. It will seriously help prevent things like this from ever happening again, and I'm really glad that big packages are starting to use it.
replies(1): >>45173039 #
2. billywhizz ◴[08 Sep 25 19:49 UTC] No.45173039[source]
> When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not
replies(1): >>45173998 #
3. OptionOfT ◴[08 Sep 25 21:06 UTC] No.45173998[source]
It prevents the npm publish from locally modified source code.