(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.302s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

zachrip ◴[16 Sep 25 12:03 UTC] No.45261085[source]▶

>>45260954 #

I can tell a lot about a dev by the fact that they single out npm/js for this supply chain issue.

replies(7): >>45261191 #>>45261219 #>>45261232 #>>45261237 #>>45261268 #>>45261512 #>>45263231 #

1. brobdingnagians ◴[16 Sep 25 12:18 UTC] No.45261232[source]▶

>>45261085 #

Lots of languages ecosystems have this problem, but it is especially prominent in JS and lies on a spectrum. For comparison, in the C/C++ ecosystem it is prominent to have libraries advertising that they have zero dependencies and header only or one common major library like Boost.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised