←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
cddotdotslash ◴[08 Sep 25 17:05 UTC] No.45170804[source]
NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.
replies(5): >>45170982 #>>45172458 #>>45172566 #>>45173494 #>>45175539 #
legohead ◴[08 Sep 25 20:26 UTC] No.45173494[source]
I blame the prevalence of package mangers in the first place. Never liked em, just for this reason. Things were fine before they became mainstream. Another annoying reason is package files that are set to grab the latest version, randomly breaking your environment. This isn't just npm of course, I hate them all equally.
replies(1): >>45174969 #
stevenpetryk ◴[08 Sep 25 22:33 UTC] No.45174969[source]
I'm a little confused, is this rage bait or what?

> Things were fine before they became mainstream

As in, things were fine before we had commonplace tooling to fetch third party software?

> package files that are set to grab the latest version

The three primary Node.js package managers all create a lockfile by default.

replies(2): >>45177902 #>>45184146 #
1. nananana9 ◴[09 Sep 25 05:50 UTC] No.45177902[source]
I mostly share GP's sentiment, although they didn't argue their point very well.

> As in, things were fine before we had commonplace tooling to fetch third party software?

Yes. The languages without a dominant package manager (basically C and C++) are the only ones that have self-contained libraries, that you can just drag into your source tree.

This is how you write good libraries - as can be seen by the fact that for many problems, there's a powerful C (or C++, but usually C) library with minimal (and usually optional) dependencies, that is the de-facto standard, and has bindings for most other languages. Think SDL, ffmpeg, libcurl, zlib, libpng/jpeg, FreeType, OpenSSL, etc, etc.

That's not the case for libraries written in JS, Python, or even other compiled languages like Go and Rust - libraries written in those languages come with a dependency tree, and are never ported to other languages.