←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]
We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?
replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #
dist-epoch ◴[16 Sep 25 11:43 UTC] No.45260897[source]
It's just where the users and the juicy targets are.

NPM packages are used by huge Electron apps like Discord, Slack, VS Code, the holy grail would be to somehow slip something inside them.

replies(5): >>45260907 #>>45260947 #>>45260963 #>>45261266 #>>45261269 #
guidedlight ◴[16 Sep 25 11:49 UTC] No.45260947[source]
We don't see these attacks nearly as severe or frequent on Maven, which is a much older package management solution. Maven users would be far more attractive targets given corporates extensively run Java.
replies(1): >>45261106 #
1. mr_toad ◴[16 Sep 25 12:05 UTC] No.45261106[source]
Number of packages doesn’t mean much. If you can get your code into just one Javascript package you could have it run on billions of browsers. With Java it’s hard to get the same distribution (although the log4j vulnerability shows it’s not entirely impossible).