Most active commenters
  • hsbauauvhabzb(5)
  • 33a(4)
  • Yoric(4)
  • ATechGuy(4)
  • josephg(3)

←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 36 comments | 08 Sep 25 15:37 UTC | HN request time: 0.236s | source | bottom
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
1. 33a ◴[08 Sep 25 18:19 UTC] No.45171859[source]
We also caught this right away at Socket,

https://socket.dev/blog/npm-author-qix-compromised-in-major-...

While it sucks that this happened, the good thing is that the ecosystem mobilized quickly. I think these sorts of incidents really show why package scanning is essential for securing open source package repositories.

replies(3): >>45173871 #>>45173938 #>>45174071 #
2. ◴[08 Sep 25 21:01 UTC] No.45173938[source]
3. Yoric ◴[08 Sep 25 21:12 UTC] No.45174071[source]
So how do you detect these attacks?
replies(2): >>45174292 #>>45175681 #
4. veber-alex ◴[08 Sep 25 21:32 UTC] No.45174292[source]
AI based code review with escalation to a human
replies(1): >>45174765 #
5. hsbauauvhabzb ◴[08 Sep 25 22:14 UTC] No.45174741[source]
For those interested, points associated with this post spiked to at least 4 then dropped back to one. Take of that what you will.
6. Yoric ◴[08 Sep 25 22:17 UTC] No.45174765{3}[source]
I'm curious :)

Does the AI detect the obfuscation?

replies(3): >>45175006 #>>45176325 #>>45246094 #
7. justusthane ◴[08 Sep 25 22:37 UTC] No.45175006{4}[source]
Probably. It’s trivial to plug some obfuscated code into an LLM and ask it what it does.
replies(1): >>45175437 #
8. fn-mote ◴[08 Sep 25 22:41 UTC] No.45175062[source]
You could at least offer some kind of substantive criticism of the tool (“socket”).
replies(1): >>45175662 #
9. spartanatreyu ◴[08 Sep 25 23:24 UTC] No.45175437{5}[source]
Yeah, but just imagine how many false positives and false negatives there would be...
10. hsbauauvhabzb ◴[08 Sep 25 23:52 UTC] No.45175662{3}[source]
Do I need any? Automated tools cannot prevent malicious code being injected. While they can make attempts to evaluate common heuristics and will catch low hanging malware, they are not fool proof against highly targeted attacks.

Either way, the parent post is clearly ambulance chasing rather than having a productive conversation, which should really be about whether or not automatically downloading and executing huge hierarchal trees of code is absolutely fucking crazy, rather than a blatant attempt to make money off an ongoing problem without actually solving anything.

replies(3): >>45175747 #>>45177003 #>>45178650 #
11. 33a ◴[08 Sep 25 23:54 UTC] No.45175681[source]
We use a mix of static analysis and AI. Flagged packages are escalated to a human review team. If we catch a malicious package, we notify our users, block installation and report them to the upstream package registries. Suspected malicious packages that have not yet been reviewed by a human are blocked for our users, but we don't try to get them removed until after they have been triaged by a human.

In this incident, we detected the packages quickly, reported them, and they were taken down shortly after. Given how high profile the attack was we also published an analysis soon after, as did others in the ecosystem.

We try to be transparent with how Socket work. We've published the details of our systems in several papers, and I've also given a few talks on how our malware scanner works at various conferences:

* https://arxiv.org/html/2403.12196v2

* https://www.youtube.com/watch?v=cxJPiMwoIyY

replies(2): >>45176864 #>>45208822 #
12. 33a ◴[09 Sep 25 00:04 UTC] No.45175747{4}[source]
When we find malware on any registry (npm, rubygems, pypi or otherwise), we immediately report it to the upstream registry and try to get it taken down. This helps reduce the blast radius from incidents like this and mitigates the damage done to the entire ecosystem.

You can call it ambulance chasing, but I think this is a good thing for the whole software ecosystem if people aren't accidentally bundling cryptostealers in their web apps.

And regarding not copying massive trees of untrusted dependencies: I am actually all for this! It's better to have fewer dependencies, but this is also not how software works today. Given the imperfect world we have, I think it's better to at least try to do something to detect and block malware than just complain about npm.

replies(1): >>45176005 #
13. hsbauauvhabzb ◴[09 Sep 25 00:36 UTC] No.45176005{5}[source]
So instead you prolong the problem while making money? Nice!
replies(1): >>45177742 #
14. 33a ◴[09 Sep 25 01:27 UTC] No.45176325{4}[source]
It's actually pretty easy to detect that something is obfuscated, but it's harder to prove that the obfuscated code is actually harmful. This is why we still have a team of humans review flagged packages before we try to get them taken down, otherwise you would end up with way too many false positives.
replies(1): >>45177854 #
15. ATechGuy ◴[09 Sep 25 02:55 UTC] No.45176864{3}[source]
You rely on LLMs riddled with hallucinations for malware detection?
replies(4): >>45177009 #>>45177608 #>>45177731 #>>45178490 #
16. josephg ◴[09 Sep 25 03:17 UTC] No.45176986[source]
Apparently it found this attack more or less immediately.

It seems strange to attack a service like this right after it actively helped keep people safe from malware. I'm sure its not perfect, but it sounds like they deserve to take a victory lap.

replies(1): >>45177254 #
17. josephg ◴[09 Sep 25 03:20 UTC] No.45177003{4}[source]
> Do I need any? Automated tools cannot prevent malicious code being injected. While they can make attempts to evaluate common heuristics and will catch low hanging malware, they are not fool proof against highly targeted attacks.

So just because a lock isn't 100% effective at keeping out criminals we shouldn't lock our doors?

replies(1): >>45177272 #
18. jmb99 ◴[09 Sep 25 03:21 UTC] No.45177009{4}[source]
I'm not exactly pro-AI, but even I can see that their system clearly works well in this case. If you tune the model to favour false positives, with a human review step (that's quick), I can image your response time being cut from days to hours (and your customers getting their updates that much faster).
replies(1): >>45182837 #
19. hsbauauvhabzb ◴[09 Sep 25 04:04 UTC] No.45177254{3}[source]
I don’t think celebrating a company who has a distinct interest in prolonging a problem while they profit off it is a good thing, no.
replies(1): >>45177555 #
20. hsbauauvhabzb ◴[09 Sep 25 04:07 UTC] No.45177272{5}[source]
Im not sure how that relates to the company ambulance chasing on what should be a public service announcement without a shade of advertising.

That’s like lock companies parading around when their neighbour is murdered during a burglary but they weren’t because they bought a Foobar(tm) lock.

21. josephg ◴[09 Sep 25 04:52 UTC] No.45177555{4}[source]
They're profiting off helping to solve the problem through early warning and detection. And by keeping their customers safe from stuff like this.

Seems good to me. I want more attention and more tooling around this problem. You seem mad at them for helping solve a real problem?

22. Mawr ◴[09 Sep 25 05:03 UTC] No.45177608{4}[source]
"LLM bad"

Very insightful.

23. Culonavirus ◴[09 Sep 25 05:25 UTC] No.45177731{4}[source]
He literally said "Flagged packages are escalated to a human review team." in the second sentence. Wtf is the problem here?
replies(1): >>45182830 #
24. jondwillis ◴[09 Sep 25 05:28 UTC] No.45177742{6}[source]
I’m all for thinking about second, or third, or fourth order effects of behavior, but unless you have proof that Socket is doing something like lobbying that developers keep using NPM against their own best interests, frankly, I don’t know what your point here is.
25. Yoric ◴[09 Sep 25 05:44 UTC] No.45177854{5}[source]
Yeah, what I meant is that obfuscation is a strong sign that something needs to be flagged for review. Sadly, there's only a thin line between obfuscation and minification, so I was wondering how many false positives you get.

Thanks for the links in your other comment, I'll take a look!

26. wiseowise ◴[09 Sep 25 07:02 UTC] No.45178490{4}[source]
> We use a mix of static analysis and AI. Flagged packages are escalated to a human review team.

“Chat, I have reading comprehension problems. How do I fix it?”

replies(1): >>45198971 #
27. LocalH ◴[09 Sep 25 07:27 UTC] No.45178650{4}[source]
The more tools that exist to help find vulnerabilities, the better, as long as they're not used in a fully automated fashion. Human vetting is vital, but using tools to alert humans to such issues is a boon.
28. ATechGuy ◴[09 Sep 25 14:59 UTC] No.45182830{5}[source]
What about packages that are not "flagged"? There could be hallucinations when deciding to (or not) "flag packages".
replies(1): >>45183112 #
29. ATechGuy ◴[09 Sep 25 14:59 UTC] No.45182837{5}[source]
You are assuming that they build their own models.
30. orbital-decay ◴[09 Sep 25 15:16 UTC] No.45183112{6}[source]
>What about packages that are not "flagged"?

You can't catch everything with normal static analysis either. LLM just produces some additional signal in this case, false negatives can be tolerated.

replies(1): >>45183273 #
31. ATechGuy ◴[09 Sep 25 15:25 UTC] No.45183273{7}[source]
static analysis DOES NOT hallucinate.
replies(2): >>45184369 #>>45209477 #
32. Twirrim ◴[09 Sep 25 16:27 UTC] No.45184369{8}[source]
So what? They're not replacing standard tooling like static analysis with it. As they mention, it's being used as additional signal alongside static analysis.

There are cases an LLM may be able to catch that their static analysis can't currently catch. Should they just completely ignore those scenarios, thereby doing the worst thing by their customers, just to stay purist?

What is the worst case scenario that you're envisioning from an LLM hallucinating in this use case? To me the worst case is that it might incorrectly flag a package as malicious, which given they do a human review anyway isn't the end of the world. On the flip side, you've got LLM catching cases not yet recognised by static analysis, that can then be accounted for in the future.

If they were just using an LLM, I might share similar concerns, but they're not.

33. atanasi ◴[10 Sep 25 15:13 UTC] No.45198971{5}[source]
Reading comprehension problems can often be caught with some static analysis combined with AI.
34. Yoric ◴[11 Sep 25 07:26 UTC] No.45208822{3}[source]
So, from what I understand from your paper, you're using ChatGPT with careful prompts?
35. tripzilch ◴[11 Sep 25 09:20 UTC] No.45209477{8}[source]
well, you've never had a non-spam email end up in your spam folder? or the other way around?

when static analysis does it, it's called a "misclassification"

36. nurettin ◴[15 Sep 25 04:22 UTC] No.45246094{4}[source]
I think that would be static analysis. After processing the source code normally (looking for net & sys calls), you decode base64, concatenate all strings and process again (until decode makes no change)