Most active commenters
  • mewpmewp2(4)
  • diggan(3)

←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 11 comments | 16 Sep 25 11:22 UTC | HN request time: 0.002s | source | bottom
Show context
madeofpalk ◴[16 Sep 25 11:49 UTC] No.45260948[source]
My main takeaway from all of these is to stop using tokens, and rely on mechanisms like OIDC to reduce the blast radius of a compromise.

How many tokens do you have lying around in your home directory in plain text, able to be read by anything on your computer running as your user?

replies(1): >>45261000 #
diggan ◴[16 Sep 25 11:54 UTC] No.45261000[source]
> How many tokens do you have lying around in your home directory in plain text, able to be read by anything on your computer running as your user?

Zero? How many developers have plain-text tokens lying around on disk? Avoiding that been hammered into me from every developer more senior than me since I got involved with professional software development.

replies(5): >>45261018 #>>45261050 #>>45261136 #>>45261146 #>>45261317 #
1. mewpmewp2 ◴[16 Sep 25 11:56 UTC] No.45261018[source]
How do you manage secrets for your projects?
replies(2): >>45261045 #>>45261228 #
2. diggan ◴[16 Sep 25 11:58 UTC] No.45261045[source]
Using a password manager for fetching them when needed. 1Password in my case, but I'm sure any password manager can be used for storing secrets for most programming projects.
replies(3): >>45261088 #>>45261546 #>>45261567 #
3. mewpmewp2 ◴[16 Sep 25 12:03 UTC] No.45261088[source]
Which programming languages/frameworks do you use? Do you use 1Password to load secrets to env where you run whatever thing you are working on? Or does the app load them during boot?
replies(1): >>45261127 #
4. diggan ◴[16 Sep 25 12:07 UTC] No.45261127{3}[source]
A bunch, ranging from JS to Clojure and everything in-between, depends on the project.

The approach also depends on the project. There is a bunch of different approaches and I don't think there is one approach that would work for every project, and sometimes I requires some wrangling but takes 5-10 minutes tops.

Some basic information about how you could make it work with 1Password: https://developer.1password.com/docs/cli/secrets-environment...

replies(1): >>45261319 #
5. mr_toad ◴[16 Sep 25 12:17 UTC] No.45261228[source]
One option is pass, which is a shell script that uses GPG to manage passwords for command line tools. You can put the password store into a git repository if you need to sync it across machines.
replies(1): >>45261503 #
6. mewpmewp2 ◴[16 Sep 25 12:26 UTC] No.45261319{4}[source]
How long have you been using that method? I didn't feel it's been very popular so far, although it makes a lot of sense. I've always seen people using gitignored .env files/config dirs in projects with many hardcoded credentials.
7. chrisweekly ◴[16 Sep 25 12:47 UTC] No.45261503[source]
Wait, what? "put the password store into a git repository"?!
replies(1): >>45262528 #
8. loloquwowndueo ◴[16 Sep 25 12:51 UTC] No.45261546[source]
Fun fact : Bitwarden’s cli is written in JavaScript and needs Node.js to run.
9. mewpmewp2 ◴[16 Sep 25 12:53 UTC] No.45261567[source]
I was thinking about one more case, if you are using 1password as a cli tool. Let's say you "op run -- npm dev". If there's a malicious node modules script, it would of course be able to get the env variables you intended to inject, but would it also be able to continue running more op commands to get all your other secrets too if you have started a session?

Edit: Testing 1Password myself, with 1password desktop and shell, if I have authed myself once in shell, then "spawn" would be able to get all of my credentials from 1Password.

So I'm not actually sure how much better than plaintext is that. Unless you use service accounts there.

10. dflock ◴[16 Sep 25 14:13 UTC] No.45262528{3}[source]
The store in the case of pass, is a plain text file, whose contents are encrypted strings. If you trust the encryption, you can put it anywhere you like. Keep the keys secret and safe, though!
replies(1): >>45267380 #
11. 9dev ◴[16 Sep 25 20:14 UTC] No.45267380{4}[source]
Until you have to fire one of your disgruntled employees, who has a copy of all your secrets that you now need to rotate.

A repository that an attacker only needs to get access to once, after which they can perform offline attacks against at their leisure.

A repository that contains the history of changed values, possibly making the latter easier, if you used the same encryption secret for rotated values.

This is an awful idea. Use a proper secret management tool you need to authenticate to using OIDC or Passkeys, and load secrets at runtime within the process. Everything else is dangerous.