←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 7 comments | 16 Sep 25 11:22 UTC | HN request time: 0.86s | source | bottom
1. philipwhiuk ◴[16 Sep 25 12:07 UTC] No.45261128[source]
post-install seems like it shouldn't be necessary anyway, let alone need shell access. What are legitimate JS packages using this for?
replies(4): >>45261294 #>>45261367 #>>45261717 #>>45262695 #
2. homebrewer ◴[16 Sep 25 12:24 UTC] No.45261294[source]
From what I've seen, it's either spam, telemetry, or downloading prebuilt binaries. The first two are anti-user and should not exist, the last one isn't really necessary — swc, esbuild, and typescript-go simply split native versions into separate packages, and install just what your system needs.

Use pnpm and whitelist just what you need. It disables all scripts by default.

3. eknkc ◴[16 Sep 25 12:32 UTC] No.45261367[source]
Does that even matter?

The malware could have been a JS code injected into the module entry point itself. As soon as you execute something that imports the package (which, you did install for a reason) the code can run.

I don't think that many people sandbox their development environments.

replies(1): >>45263142 #
4. vinnymac ◴[16 Sep 25 13:07 UTC] No.45261717[source]
Most don’t need it. There was a time when most post installing flooded your terminal with annoying messages to upgrade, donate, say hi.

Modern node package managers such as yarn and pnpm allow you to prevent post installs entirely.

Today most of the time you need to make an exception for a package is when a module requires native compilation or download of a pre-built binary. This has become rare though.

5. tln ◴[16 Sep 25 14:26 UTC] No.45262695[source]
I think these compromises show that install hooks should be severely restricted.

Something like, only packages with attestations/signed releases and OIDC-only workflow should allow these scripts.

Worm could propogate through the code itself but I think it would be quite a bit less effective.

6. theodorejb ◴[16 Sep 25 14:54 UTC] No.45263142[source]
It absolutely matters. Many people install packages for front-end usage which would only be imported in the browser sandbox. Additionally, a package may be installed in a dev environment for inspection/testing before deciding whether to use it in production.

To me it's quite unexpected/scary that installing a package on my dev machine can execute arbitrary code before I ever have a chance to inspect the package to see whether I want to use it.

replies(1): >>45263260 #
7. eknkc ◴[16 Sep 25 15:01 UTC] No.45263260{3}[source]
I've been using pnpm and it does not run lifecycle scripts by default. Asks for confirmation and creates a whitelist if you allow things. Might be the better default.