(socket.dev)

1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 0.761s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]▶

>>45260741 (OP) #

We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?

replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #

1. palmfacehn ◴[16 Sep 25 11:52 UTC] No.45260982[source]▶

>>45260844 #

Apparently Maven has 61.9M indexed packages. As Java has a decent standard lib, mini libs like leftpad are not contributing to this count. NPM has 3.1M packages. Many are trivially simple. Those stats would suggest that NPM has disproportionately more issues than other services.

I would argue that is only one of the many issues with the JS/TS/NPM ecosystem. Many of the other problems have been normalized. The constant security issues are highly visible.

replies(2): >>45261095 #>>45261160 #

2. eastbound ◴[16 Sep 25 12:04 UTC] No.45261095[source]▶

>>45260982 (TP) #

On Maven, I restrict packages to Spring and Apache. As opposed to NPM, where even big vendors can depend on hundreds of small ones.

replies(1): >>45261174 #

3. jsiepkes ◴[16 Sep 25 12:10 UTC] No.45261160[source]▶

>>45260982 (TP) #

> Apparently Maven has 61.9M indexed packages.

Where did you see that number? Maven central says it has about 18 million [1] packages. Maybe with all versions of those 18 million packages there are about 62 million artifacts?

While the Java ecosystem is vastly larger, in Java (with Maven, Gradle, Bazel, etc.) it is not common to use really small libraries. So you end up with vastly less transitive dependencies in your projects.

[1] https://mvnrepository.com/repos/central

replies(1): >>45261262 #

4. skydhash ◴[16 Sep 25 12:12 UTC] No.45261174[source]▶

>>45261095 #

This. You would expect some of the mature packages to be quite diligent about dependencies, but they are the one pulling random stuff for a minor feature. then the transitive dependencies adds like GBs of files to your project.

5. palmfacehn ◴[16 Sep 25 12:20 UTC] No.45261262[source]▶

>>45261160 #

That is correct.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised