←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 9 comments | 08 Sep 25 15:37 UTC | HN request time: 0.421s | source | bottom
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
1. dmitrygr ◴[08 Sep 25 21:07 UTC] No.45174003[source]
> don't we consider things like `brew` to be sufficiently low-risk,

Like ... npm?

replies(2): >>45174514 #>>45175021 #
2. hunter2_ ◴[08 Sep 25 21:52 UTC] No.45174514[source]
I thought getting code into brew is blocked by some vetting (potentially insufficient, which could be argued for all supply chains), whereas getting code into npm involves no vetting whatsoever.
replies(1): >>45182278 #
3. fn-mote ◴[08 Sep 25 22:38 UTC] No.45175021[source]
Nah…

Everybody knows npm is a gaping security issue waiting to happen. Repeatedly.

It’s convenient, so it’s popular.

Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

replies(3): >>45175798 #>>45177580 #>>45186549 #
4. dabockster ◴[09 Sep 25 00:11 UTC] No.45175798[source]
> Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

npm sold it really hard that you could rely on them and not have to vendor dependencies yourself. If I suggested that a decade ago in Seattle, I would have gotten booed out of the room.

replies(1): >>45176729 #
5. marcus_holmes ◴[09 Sep 25 02:33 UTC] No.45176729{3}[source]
I have repeatedly been met with derision when pointing out what a gaping security nightmare the whole Open Source system is, especially npm and its ilk.

Yet here we are. And this is going to get massively worse, not better.

replies(1): >>45179724 #
6. albedoa ◴[09 Sep 25 04:57 UTC] No.45177580[source]
> Nah…

I mean, I believe you, but the person you are replying to obviously believes that they are similar. Could you explain the significant differences?

7. Intermernet ◴[09 Sep 25 09:39 UTC] No.45179724{4}[source]
Nothing specific to open source is to blame in this instance. The author got phished. Open source software often has better code vetting and verification than closed source software. npm, however, does not.
8. n8m8 ◴[09 Sep 25 14:17 UTC] No.45182278[source]
Went and found the link: https://docs.brew.sh/Acceptable-Casks#apps-that-bundle-malwa...

> Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another.

9. johnisgood ◴[09 Sep 25 18:38 UTC] No.45186549[source]
Convenient, as in the barrier to entry is way too low. I am pretty much against it.