←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0.002s | source
Show context
0xbadcafebee ◴[08 Sep 25 18:49 UTC] No.45172225[source]
Here we are again. 12 days ago (https://news.ycombinator.com/item?id=45039764) I commented how a similar compromise of Nx was totally preventable.

Again, this is not the failure of a single person. This is a failure of the software industry. Supply chain attacks have gigantic impacts. Yet these are all solved problems. Somebody has to just implement the standard security measures that prevents these compromises. We're software developers... we're the ones to implement them.

Every software packaging platform on the planet should already require code signing, artifact signing, user account attacker access detection heuristics, 2FA, etc. If they don't, it's not because they can't, it's because nobody has forced them to.

These attacks will not stop. With AI (and continuous proof that they work) they will now get worse. Mandate software building codes now.

replies(6): >>45173632 #>>45174856 #>>45175596 #>>45176278 #>>45176808 #>>45190724 #
1. ropable ◴[09 Sep 25 02:46 UTC] No.45176808[source]
> Somebody has to just implement the standard security measures that prevents these compromises.

I don't disagree, but this sentence is doing a lot of heavy lifting. See also "draw the rest of the owl".

replies(2): >>45177178 #>>45178437 #
2. giveita ◴[09 Sep 25 03:47 UTC] No.45177178[source]
Part of the owl can be how consumers upgrade. Don't get the latest patches but keep things up to date. Secondary sources of information about good versions to upgrade to and when. Allows time for vulns to be discovered like this before upgrading. Assumption is people can detect vulns before mass of people installing, which I think is true. Then you just need exceptions for critical security fixes.
3. sussmannbaka ◴[09 Sep 25 06:57 UTC] No.45178437[source]
We are engineers. Much like an artist could draw the rest of the owl, it’s not an unreasonable ask towards a field that each day seems to grow more accustomed to the learned helplessness.