←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0.693s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
dmitrygr ◴[08 Sep 25 21:07 UTC] No.45174003[source]
> don't we consider things like `brew` to be sufficiently low-risk,

Like ... npm?

replies(2): >>45174514 #>>45175021 #
fn-mote ◴[08 Sep 25 22:38 UTC] No.45175021[source]
Nah…

Everybody knows npm is a gaping security issue waiting to happen. Repeatedly.

It’s convenient, so it’s popular.

Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

replies(3): >>45175798 #>>45177580 #>>45186549 #
1. dabockster ◴[09 Sep 25 00:11 UTC] No.45175798[source]
> Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

npm sold it really hard that you could rely on them and not have to vendor dependencies yourself. If I suggested that a decade ago in Seattle, I would have gotten booed out of the room.

replies(1): >>45176729 #
2. marcus_holmes ◴[09 Sep 25 02:33 UTC] No.45176729[source]
I have repeatedly been met with derision when pointing out what a gaping security nightmare the whole Open Source system is, especially npm and its ilk.

Yet here we are. And this is going to get massively worse, not better.

replies(1): >>45179724 #
3. Intermernet ◴[09 Sep 25 09:39 UTC] No.45179724[source]
Nothing specific to open source is to blame in this instance. The author got phished. Open source software often has better code vetting and verification than closed source software. npm, however, does not.