(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.254s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

l___l ◴[16 Sep 25 11:48 UTC] No.45260940[source]▶

>>45260741 (OP) #

Is there a theoretical framework that can prevent this from happening? Proof-carrying code?

replies(8): >>45260951 #>>45260961 #>>45260981 #>>45260989 #>>45261022 #>>45261060 #>>45270399 #>>45274246 #

dist-epoch ◴[16 Sep 25 11:50 UTC] No.45260951[source]▶

>>45260940 #

There are, but they have huge performance or usability penalties.

Stuff like intents "this is a math library, it is not allowed to access the network or filesystem".

At a higher level, you have app sandboxing, like on phones or Apple/Windows store. Sandboxed desktop apps are quite hated by developers - my app should be allowed to do whatever the fuck it wants.

replies(3): >>45261021 #>>45261057 #>>45261272 #

1. killerstorm ◴[16 Sep 25 12:00 UTC] No.45261057[source]▶

>>45260951 #

You can do that by screening module imports with zero runtime penalty.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised