←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.644s | source
Show context
madeofpalk ◴[16 Sep 25 11:49 UTC] No.45260948[source]
My main takeaway from all of these is to stop using tokens, and rely on mechanisms like OIDC to reduce the blast radius of a compromise.

How many tokens do you have lying around in your home directory in plain text, able to be read by anything on your computer running as your user?

replies(1): >>45261000 #
diggan ◴[16 Sep 25 11:54 UTC] No.45261000[source]
> How many tokens do you have lying around in your home directory in plain text, able to be read by anything on your computer running as your user?

Zero? How many developers have plain-text tokens lying around on disk? Avoiding that been hammered into me from every developer more senior than me since I got involved with professional software development.

replies(5): >>45261018 #>>45261050 #>>45261136 #>>45261146 #>>45261317 #
1. viraptor ◴[16 Sep 25 12:08 UTC] No.45261136[source]
> How many developers have plain-text tokens lying around on disk?

Most of them. Mainly on purpose, (.env files) but many also accidentally. (shell history with tokens in the commands)

replies(1): >>45272956 #
2. saleCz ◴[17 Sep 25 07:36 UTC] No.45272956[source]
Exactly. There are tools that allow debugging production environments without having to have the credentials on your disk.

I recommend Envie: https://github.com/ilmari-h/envie

It's more convenient than having a bunch of .env.prod, .env.staging files laying around, not to mention more secure.