←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 7 comments | 08 Sep 25 15:37 UTC | HN request time: 1.127s | source | bottom
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
anthk ◴[08 Sep 25 21:24 UTC] No.45174196[source]
APT repos for Debian, Trisquel, Ubuntu... require far more checkings and bureaucracy.
replies(1): >>45174375 #
1. socalgal2 ◴[08 Sep 25 21:40 UTC] No.45174375[source]
I'll bet they don't. There's way to much churn for it all to be checked
replies(2): >>45174994 #>>45175530 #
2. justusthane ◴[08 Sep 25 22:35 UTC] No.45174994[source]
No, they are extremely well vetted. Have you ever heard of a supply chain attack involving Red Hat, Debian or Ubuntu repos?
replies(1): >>45175191 #
3. jonquest ◴[08 Sep 25 22:56 UTC] No.45175191[source]
Yes, the XZ attack affected Fedora nightly and Debian testing and unstable. Yes, it got caught before it made it into a stable distribution (this time).

https://www.redhat.com/en/blog/understanding-red-hats-respon...

https://lists.debian.org/debian-security-announce/2024/msg00...

replies(1): >>45181120 #
4. const_cast ◴[08 Sep 25 23:36 UTC] No.45175530[source]
Churn? On Debian?

It takes like 2 years to get up to date packages. This isn't NPM.

replies(1): >>45176926 #
5. SchemaLoad ◴[09 Sep 25 03:06 UTC] No.45176926[source]
The xscreensaver dev managed to very easily slip a timebomb in to the debian repos. Wasn't obscured in any way, the repo maintainers just don't review the code. It would be physically impossible for them to review all the changes in all the programs.
6. goodpoint ◴[09 Sep 25 12:37 UTC] No.45181120{3}[source]
So the attack was successfully stopped and you complain about it?
replies(1): >>45186470 #
7. jonquest ◴[09 Sep 25 18:34 UTC] No.45186470{4}[source]
I’m not complaining, I’m pointing out facts. If the facts offend you, that’s your problem. Ignore them if you wish.