←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 4 comments | 08 Sep 25 15:37 UTC | HN request time: 0.004s | source
Show context
0xbadcafebee ◴[08 Sep 25 18:49 UTC] No.45172225[source]
Here we are again. 12 days ago (https://news.ycombinator.com/item?id=45039764) I commented how a similar compromise of Nx was totally preventable.

Again, this is not the failure of a single person. This is a failure of the software industry. Supply chain attacks have gigantic impacts. Yet these are all solved problems. Somebody has to just implement the standard security measures that prevents these compromises. We're software developers... we're the ones to implement them.

Every software packaging platform on the planet should already require code signing, artifact signing, user account attacker access detection heuristics, 2FA, etc. If they don't, it's not because they can't, it's because nobody has forced them to.

These attacks will not stop. With AI (and continuous proof that they work) they will now get worse. Mandate software building codes now.

replies(6): >>45173632 #>>45174856 #>>45175596 #>>45176278 #>>45176808 #>>45190724 #
1. TheJoeMan ◴[09 Sep 25 01:20 UTC] No.45176278[source]
For a package with thousands of downloads a week, does the publishing pace need to be so fast? New version could be uploaded to NPM, then perhaps a notification email to the maintainer saying it will go live on XX date and click here to cancel?
replies(1): >>45176449 #
2. 0xbadcafebee ◴[09 Sep 25 01:45 UTC] No.45176449[source]
A standard release process for Linux distro packages is 1) submitting a new revision, 2) having it approved by a repository maintainer, 3) it cooks a while in unstable, 4) then in testing, and finally 5) is released as stable. So there's an approval process, a testing phase, and finally a release. And since it's impossible for people to upload a brand new package into a package repository without this process, typosquatting never happens.

Sadly, programming language package managers have normalized the idea that everyone who uses the package manager should be exposed to every random package and release from random strangers with no moderation. This would be unthinkable for a Linux distribution. (You can of course add 3rd-party Linux package repositories, unstable release branches, etc, which should enforce the same type of rules, but they don't have to)

Linux distros are still vulnerable to supply chain attacks though. It's very rare but it has happened. So regardless of the release process, you need all the other mitigations to secure the supply chain. And once they're set up it's all pretty automatic and easy (I use them all day at work).

replies(2): >>45178900 #>>45182294 #
3. bbarnett ◴[09 Sep 25 07:58 UTC] No.45178900[source]
It's a problem solved decades ago, as you say. Devs, not caring about security or trust, just found it inconvenient.

This will probably be reigned in soon. Many companies I know are backing away from npm/node, and even composer. It's just too risky an ecosystem.

4. papyrus9244 ◴[09 Sep 25 14:19 UTC] No.45182294[source]
And for any Arch users reading this, AUR is the wild west too.