←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.203s | source
Show context
l___l ◴[16 Sep 25 11:48 UTC] No.45260940[source]
Is there a theoretical framework that can prevent this from happening? Proof-carrying code?
replies(8): >>45260951 #>>45260961 #>>45260981 #>>45260989 #>>45261022 #>>45261060 #>>45270399 #>>45274246 #
diggan ◴[16 Sep 25 11:52 UTC] No.45260981[source]
Probably signatures could alleviate most of these issues, as each publish would require the author to actually sign the artifact, and setup properly with hardware keys, this sort of malware couldn't spread. The NPM CI tokens that don't require 2fa kind of makes it less useful though.

Clojars (run by volunteers AFAIK) been doing signatures since forever, not sure why it's so difficult for Microsoft to follow their own yearly proclamation of "security is our top concern".

replies(1): >>45261014 #
1. madeofpalk ◴[16 Sep 25 11:55 UTC] No.45261014[source]
I would like to see more usage of NPM/Github Actions provenance statements https://www.npmjs.com/package/sigstore#provenance through the ecosystem

> The NPM CI tokens that don't require 2fa kind of makes it less useful though

Use OIDC to publish packages instead of having tokens around that can be stolen or leaked https://docs.npmjs.com/trusted-publishers