(socket.dev)

1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

oVerde ◴[16 Sep 25 11:51 UTC] No.45260975[source]▶

>>45260954 #

So basically you live JavaScript free?

replies(4): >>45260998 #>>45261034 #>>45261487 #>>45261734 #

Xelbair ◴[16 Sep 25 11:57 UTC] No.45261034[source]▶

>>45260975 #

as much as i can yes.

I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself.

replies(3): >>45261071 #>>45261213 #>>45261604 #

1. kaiomagalhaes ◴[16 Sep 25 12:16 UTC] No.45261213[source]▶

>>45261034 #

out of sincere curiosity, which one is a great programming language to you?

replies(1): >>45261350 #

2. Xelbair ◴[16 Sep 25 12:30 UTC] No.45261350[source]▶

>>45261213 (TP) #

depends on use case, i don't think one language can fit all cases. 100% correctness is required for systems, but it is a hindrance in non-critical systems. or robust type systems require high compilation times which hurt iterating on the codebase.

systems? rust - but it is still far from perfect, too much focus on saving few keystrokes here and there.

general purpose corporate development? c# - despite current direction post .net 5 of stapling together legacy parts of .net framework to .net core. it does most things good enough.

scripting, and just scripting? python.

web? there's only one, bad, option and that's js/ts.

most hated ones are in order: js, go, c++, python.

go is extremely infuriating, there was a submission on HN that perfectly encapsulated my feelings about it, after writing it for a while: https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-...

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised