(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]▶

>>45169657 (OP) #

From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #

yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]▶

>>45170585 #

Asking people to run random install scripts just feels very out of place given the context.

replies(2): >>45172767 #>>45174960 #

hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]▶

>>45172189 #

I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?

replies(3): >>45172964 #>>45174003 #>>45174196 #

anthk ◴[08 Sep 25 21:24 UTC] No.45174196[source]▶

>>45172767 #

APT repos for Debian, Trisquel, Ubuntu... require far more checkings and bureaucracy.

replies(1): >>45174375 #

socalgal2 ◴[08 Sep 25 21:40 UTC] No.45174375[source]▶

>>45174196 #

I'll bet they don't. There's way to much churn for it all to be checked

replies(2): >>45174994 #>>45175530 #

1. const_cast ◴[08 Sep 25 23:36 UTC] No.45175530[source]▶

>>45174375 #

Churn? On Debian?

It takes like 2 years to get up to date packages. This isn't NPM.

replies(1): >>45176926 #

2. SchemaLoad ◴[09 Sep 25 03:06 UTC] No.45176926[source]▶

>>45175530 (TP) #

The xscreensaver dev managed to very easily slip a timebomb in to the debian repos. Wasn't obscured in any way, the repo maintainers just don't review the code. It would be physically impossible for them to review all the changes in all the programs.

↑

NPM debug and chalk packages compromised