←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.209s | source
Show context
cddotdotslash ◴[08 Sep 25 17:05 UTC] No.45170804[source]
NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.
replies(5): >>45170982 #>>45172458 #>>45172566 #>>45173494 #>>45175539 #
legohead ◴[08 Sep 25 20:26 UTC] No.45173494[source]
I blame the prevalence of package mangers in the first place. Never liked em, just for this reason. Things were fine before they became mainstream. Another annoying reason is package files that are set to grab the latest version, randomly breaking your environment. This isn't just npm of course, I hate them all equally.
replies(1): >>45174969 #
stevenpetryk ◴[08 Sep 25 22:33 UTC] No.45174969[source]
I'm a little confused, is this rage bait or what?

> Things were fine before they became mainstream

As in, things were fine before we had commonplace tooling to fetch third party software?

> package files that are set to grab the latest version

The three primary Node.js package managers all create a lockfile by default.

replies(2): >>45177902 #>>45184146 #
1. int_19h ◴[09 Sep 25 16:14 UTC] No.45184146[source]
> As in, things were fine before we had commonplace tooling to fetch third party software?

In some ways they were. I remember how much friction it was to take a dependency in your typical desktop C++ or Delphi app in late 90s - early 00s. And because of that, developers would generally be hesitant to add a new dependency without a strong justification, especially so any kind of dependency that comes with its own large dependency tree. Which, in turn, creates incentives for library authors to create fairly large, framework-style libraries. So you end up with an ecosystem where dependencies are much more coarse and there are fewer of them, so dependency graphs are shallow. Whether this is an advantage or a disadvantage in its own right can be debated, but it's definitely less susceptible to this kind of attack because updating dependencies in such a system is also much more involved; it's not something that you do with a single `npm install`.