←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0.505s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
tripplyons ◴[08 Sep 25 19:42 UTC] No.45172964[source]
Anyone can upload an NPM package without much review. For Homebrew, you at least have to submit a pull request.
replies(2): >>45177196 #>>45182290 #
1. what ◴[09 Sep 25 03:52 UTC] No.45177196[source]
Homebrew has been compromised before. To think it’s immune is a bit naive.
replies(2): >>45182243 #>>45183548 #
2. n8m8 ◴[09 Sep 25 14:14 UTC] No.45182243[source]
Agreed that it's a bit funny given the context and no community-managed package manager should be 100% trusted.

That said, I think rg is pretty well known to linux daily-drivers and they just wanted to share something quickly for powerusers who want to check their workspaces quickly. Probably better to just instruct n00bs to use grep than install a whole cli tool for searching

Come to think of it, I wonder if a 2-phase attack could be planned by an attacker in the future: Inject malware into a package, flood guidance with instructions to install another popular tool that you also recently compromised... lol

3. tripplyons ◴[09 Sep 25 15:40 UTC] No.45183548[source]
I'm not saying its immune. I'm saying that NPM doesn't have as many protections, making NPM an easier target.