←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
yifanl ◴[08 Sep 25 18:47 UTC] No.45172189[source]
Asking people to run random install scripts just feels very out of place given the context.
replies(2): >>45172767 #>>45174960 #
hunter2_ ◴[08 Sep 25 19:28 UTC] No.45172767[source]
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
replies(3): >>45172964 #>>45174003 #>>45174196 #
dmitrygr ◴[08 Sep 25 21:07 UTC] No.45174003[source]
> don't we consider things like `brew` to be sufficiently low-risk,

Like ... npm?

replies(2): >>45174514 #>>45175021 #
fn-mote ◴[08 Sep 25 22:38 UTC] No.45175021[source]
Nah…

Everybody knows npm is a gaping security issue waiting to happen. Repeatedly.

It’s convenient, so it’s popular.

Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

replies(3): >>45175798 #>>45177580 #>>45186549 #
1. johnisgood ◴[09 Sep 25 18:38 UTC] No.45186549{3}[source]
Convenient, as in the barrier to entry is way too low. I am pretty much against it.