←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 5 comments | 08 Sep 25 15:37 UTC | HN request time: 0.675s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
1. tripplyons ◴[08 Sep 25 19:42 UTC] No.45172964[source]
Anyone can upload an NPM package without much review. For Homebrew, you at least have to submit a pull request.
replies(2): >>45177196 #>>45182290 #
2. what ◴[09 Sep 25 03:52 UTC] No.45177196[source]
Homebrew has been compromised before. To think it’s immune is a bit naive.
replies(2): >>45182243 #>>45183548 #
3. n8m8 ◴[09 Sep 25 14:14 UTC] No.45182243[source]
Agreed that it's a bit funny given the context and no community-managed package manager should be 100% trusted.

That said, I think rg is pretty well known to linux daily-drivers and they just wanted to share something quickly for powerusers who want to check their workspaces quickly. Probably better to just instruct n00bs to use grep than install a whole cli tool for searching

Come to think of it, I wonder if a 2-phase attack could be planned by an attacker in the future: Inject malware into a package, flood guidance with instructions to install another popular tool that you also recently compromised... lol

4. n8m8 ◴[09 Sep 25 14:19 UTC] No.45182290[source]
https://docs.brew.sh/Acceptable-Casks#apps-that-bundle-malwa...

> Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another.

---

So there might be pull requests, but Brew's official stance is that they do not actively moderate casks for malware. I guess there's something built into the MacOS packaging step that help mitigate the risk, but I don't know much about it outside playing w/ app development in XCode.

5. tripplyons ◴[09 Sep 25 15:40 UTC] No.45183548[source]
I'm not saying its immune. I'm saying that NPM doesn't have as many protections, making NPM an easier target.