←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 4 comments | 16 Sep 25 11:22 UTC | HN request time: 0.64s | source
Show context
l___l ◴[16 Sep 25 11:48 UTC] No.45260940[source]
Is there a theoretical framework that can prevent this from happening? Proof-carrying code?
replies(8): >>45260951 #>>45260961 #>>45260981 #>>45260989 #>>45261022 #>>45261060 #>>45270399 #>>45274246 #
1. dist-epoch ◴[16 Sep 25 11:50 UTC] No.45260951[source]
There are, but they have huge performance or usability penalties.

Stuff like intents "this is a math library, it is not allowed to access the network or filesystem".

At a higher level, you have app sandboxing, like on phones or Apple/Windows store. Sandboxed desktop apps are quite hated by developers - my app should be allowed to do whatever the fuck it wants.

replies(3): >>45261021 #>>45261057 #>>45261272 #
2. IshKebab ◴[16 Sep 25 11:56 UTC] No.45261021[source]
Do they actually have huge performance penalties in Javascript?

I would have thought it wouldn't be too hard to design a capability system in JS. I bet someone has done it already.

Of course, it's not going to be compatible with any existing JS libraries. That's the problem.

3. killerstorm ◴[16 Sep 25 12:00 UTC] No.45261057[source]
You can do that by screening module imports with zero runtime penalty.
4. ◴[16 Sep 25 12:21 UTC] No.45261272[source]