←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.205s | source
Show context
gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]
We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?
replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #
palmfacehn ◴[16 Sep 25 11:52 UTC] No.45260982[source]
Apparently Maven has 61.9M indexed packages. As Java has a decent standard lib, mini libs like leftpad are not contributing to this count. NPM has 3.1M packages. Many are trivially simple. Those stats would suggest that NPM has disproportionately more issues than other services.

I would argue that is only one of the many issues with the JS/TS/NPM ecosystem. Many of the other problems have been normalized. The constant security issues are highly visible.

replies(2): >>45261095 #>>45261160 #
eastbound ◴[16 Sep 25 12:04 UTC] No.45261095[source]
On Maven, I restrict packages to Spring and Apache. As opposed to NPM, where even big vendors can depend on hundreds of small ones.
replies(1): >>45261174 #
1. skydhash ◴[16 Sep 25 12:12 UTC] No.45261174[source]
This. You would expect some of the mature packages to be quite diligent about dependencies, but they are the one pulling random stuff for a minor feature. then the transitive dependencies adds like GBs of files to your project.