(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]▶

>>45169657 (OP) #

From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #

yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]▶

>>45170585 #

Asking people to run random install scripts just feels very out of place given the context.

replies(2): >>45172767 #>>45174960 #

hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]▶

>>45172189 #

I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?

replies(3): >>45172964 #>>45174003 #>>45174196 #

tripplyons ◴[08 Sep 25 19:42 UTC] No.45172964[source]▶

>>45172767 #

Anyone can upload an NPM package without much review. For Homebrew, you at least have to submit a pull request.

replies(2): >>45177196 #>>45182290 #

what ◴[09 Sep 25 03:52 UTC] No.45177196[source]▶

>>45172964 #

Homebrew has been compromised before. To think it’s immune is a bit naive.

replies(2): >>45182243 #>>45183548 #

1. tripplyons ◴[09 Sep 25 15:40 UTC] No.45183548[source]▶

>>45177196 #

I'm not saying its immune. I'm saying that NPM doesn't have as many protections, making NPM an easier target.

↑

NPM debug and chalk packages compromised