←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
gslepak ◴[08 Sep 25 18:26 UTC] No.45171930[source]
Tips to protect yourself from supply-chain attacks in the JavaScript ecosystem:

- Don't update dependencies unless necessary

- Don't use `npm` to install NPM packages, use Deno with appropriate sandboxing flags

- Sign up for https://socket.dev and/or https://www.aikido.dev

- Work inside a VM

replies(2): >>45172162 #>>45174619 #
butshouldyou ◴[08 Sep 25 18:45 UTC] No.45172162[source]
Can you expand on "use Deno" for installing dependencies? I assume you don't mean to use Deno as the runtime, just for dependency management.
replies(1): >>45172325 #
gslepak ◴[08 Sep 25 18:57 UTC] No.45172325[source]
I do mean use Deno as the runtime. Details and examples of how to switch are here: https://crib.social/notice/AwQqG9gm365uat93Nw
replies(1): >>45179397 #
1. j-krieger ◴[09 Sep 25 08:58 UTC] No.45179397[source]
How would this have prevented anything?
replies(1): >>45191372 #
2. gslepak ◴[10 Sep 25 00:12 UTC] No.45191372[source]
In this case it would not have prevented anything, but I never claimed that it would. Using Deno with appropriate sandboxing flags can protect developers against many classes of supply-chain attacks.

The reason it doesn't help in this instance is because the attack targets the generated bundle and runs on client devices, whereas other attacks will target developer machines themselves (and possibly also client devices). Those types of attacks can be mitigated by using Deno.