←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 4 comments | 08 Sep 25 15:37 UTC | HN request time: 0.011s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]▶

>>45169657 (OP) #

Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #

winwang ◴[08 Sep 25 16:21 UTC] No.45170202[source]▶

Just want to agree with everyone who is thanking you for owning up (and so quickly). Got phished once while drunk in college (a long time ago), could have been anyone. NPM being slowish to get back to you is a bit surprising, though. Seems like that would only make attacks more lucrative.

replies(3): >>45172493 #>>45173347 #>>45175107 #

1. internetter ◴[08 Sep 25 19:08 UTC] No.45172493[source]▶

in general npm does a not-too-great job with these things

replies(1): >>45172894 #

2. tripplyons ◴[08 Sep 25 19:38 UTC] No.45172894[source]▶

>>45172493 (TP) #

Remember, NPM stands for Now Part of Microsoft!

(Microsoft owns GitHub, which owns NPM.)

replies(1): >>45174195 #

3. thayne ◴[08 Sep 25 21:24 UTC] No.45174195[source]▶

Which means they don't have the excuse of being a volunteer effort to not be on top of this. MS has plenty of resources.

replies(1): >>45175839 #

4. dabockster ◴[09 Sep 25 00:16 UTC] No.45175839{3}[source]▶

If you're running this kind of infrastructure online these days, you have every right to require payment somehow. Don't work for free.