←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0.63s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
anthk ◴[08 Sep 25 21:24 UTC] No.45174196[source]
APT repos for Debian, Trisquel, Ubuntu... require far more checkings and bureaucracy.
replies(1): >>45174375 #
socalgal2 ◴[08 Sep 25 21:40 UTC] No.45174375[source]
I'll bet they don't. There's way to much churn for it all to be checked
replies(2): >>45174994 #>>45175530 #
justusthane ◴[08 Sep 25 22:35 UTC] No.45174994[source]
No, they are extremely well vetted. Have you ever heard of a supply chain attack involving Red Hat, Debian or Ubuntu repos?
replies(1): >>45175191 #
1. jonquest ◴[08 Sep 25 22:56 UTC] No.45175191[source]
Yes, the XZ attack affected Fedora nightly and Debian testing and unstable. Yes, it got caught before it made it into a stable distribution (this time).

https://www.redhat.com/en/blog/understanding-red-hats-respon...

https://lists.debian.org/debian-security-announce/2024/msg00...

replies(1): >>45181120 #
2. goodpoint ◴[09 Sep 25 12:37 UTC] No.45181120[source]
So the attack was successfully stopped and you complain about it?
replies(1): >>45186470 #
3. jonquest ◴[09 Sep 25 18:34 UTC] No.45186470[source]
I’m not complaining, I’m pointing out facts. If the facts offend you, that’s your problem. Ignore them if you wish.