Most active commenters
  • zachrip(3)

←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 20 comments | 16 Sep 25 11:22 UTC | HN request time: 0.494s | source | bottom
Show context
jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]
I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.
replies(3): >>45260975 #>>45261085 #>>45261124 #
1. zachrip ◴[16 Sep 25 12:03 UTC] No.45261085[source]
I can tell a lot about a dev by the fact that they single out npm/js for this supply chain issue.
replies(7): >>45261191 #>>45261219 #>>45261232 #>>45261237 #>>45261268 #>>45261512 #>>45263231 #
2. hsbauauvhabzb ◴[16 Sep 25 12:14 UTC] No.45261191[source]
That they’ve coded in more than one language?
3. ◴[16 Sep 25 12:16 UTC] No.45261219[source]
4. brobdingnagians ◴[16 Sep 25 12:18 UTC] No.45261232[source]
Lots of languages ecosystems have this problem, but it is especially prominent in JS and lies on a spectrum. For comparison, in the C/C++ ecosystem it is prominent to have libraries advertising that they have zero dependencies and header only or one common major library like Boost.
5. RUnconcerned ◴[16 Sep 25 12:18 UTC] No.45261237[source]
What other language ecosystems have had this happen systematically? This isn't even the first time this month!
replies(5): >>45262049 #>>45262513 #>>45265664 #>>45267928 #>>45271328 #
6. lithos ◴[16 Sep 25 12:21 UTC] No.45261268[source]
Just more engineering leaning than you. Actual engineers have to analyze their supply chains, and so makes sense they would be baffled by NPM dependency trees that utterly normal projects grow into in the JavaScript ecosystem.
replies(2): >>45261475 #>>45265112 #
7. zachrip ◴[16 Sep 25 12:45 UTC] No.45261475[source]
Do you think companies using node don't analyze supply chains? That's nonsense. Have you cargo installed a rust app recently? This isn't just a js issue. This needs to be solved across the industry and npm frankly has done a horrible job at it. We let people with billions of downloads a month with recently changed password/2fa publish packages? Why don't we pool assets as a collective to scan newly published packages before they're allowed to be installed? These types of things really should exist across all package registries (and my really hot take is that we probably don't need a registry for every language, either!).
replies(3): >>45262860 #>>45262989 #>>45269609 #
8. Aeolun ◴[16 Sep 25 12:48 UTC] No.45261512[source]
I think it’s just that a lot of old men don’t like how popular it has become with script kiddies.
9. blueflow ◴[16 Sep 25 13:33 UTC] No.45262049[source]
Python/PyPi.
10. johnisgood ◴[16 Sep 25 14:13 UTC] No.45262513[source]
Rust.
11. LaGrange ◴[16 Sep 25 14:36 UTC] No.45262860{3}[source]
> Do you think companies using node don't analyze supply chains?

I _know_ many don’t. In fact suggesting doing it is a good way to be looked at like a crazy person and be told something like “this is a yes place not a no place.”

12. pclmulqdq ◴[16 Sep 25 14:44 UTC] No.45262989{3}[source]
It is solved across the industry for those who care. If you use cargo, npm, or a python package manager, you may have a service that handles static versioning of dependencies for security purposes. If you don't, you aren't generally working in a language that encourages so much package use.
13. cedws ◴[16 Sep 25 15:00 UTC] No.45263231[source]
The JavaScript ecosystem has a major case of import-everything disease that acts as a catalyst for supply chain attacks. left-pad as one example of many.
14. Lumping6371 ◴[16 Sep 25 17:21 UTC] No.45265112[source]
Good thing that at scale, private package repositories or even in-house development is done. Personally, I would argue that an engineer unable to tell apart perfect from good, isn't a very good engineer in my book, but some engineers are unable to make compromises.
15. LPisGood ◴[16 Sep 25 18:06 UTC] No.45265664[source]
Go has this issue
16. SkyPuncher ◴[16 Sep 25 20:55 UTC] No.45267928[source]
NPM is the most popular, so it happens the most frequently. All of the other ecosystems are just as susceptible.

Unix had a big scare last year because of XZ Utils.

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

replies(1): >>45273588 #
17. keyle ◴[16 Sep 25 23:25 UTC] No.45269609{3}[source]
2FA would certainly help, however you'd still have malware like these silently updating code and waiting for the next release.

We'd have to rely on the developer to notice, and check every line of code they ship, which might be the norm but certainly not 100% of cases.

18. mdavidn ◴[17 Sep 25 03:32 UTC] No.45271328[source]
RubyGems is susceptible too.
19. Sankozi ◴[17 Sep 25 09:20 UTC] No.45273588{3}[source]
No they are not as susceptible - auto updating dependencies, post install scripts and culture of thousands of crappy micro packages (like left-pad) is mainly a NPM issue.
replies(1): >>45275554 #
20. zachrip ◴[17 Sep 25 13:23 UTC] No.45275554{4}[source]
Packages are not auto updated if you have a package-lock. Agreed that post-install, left-pad, etc have been overall problematic tho.