Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

Show context

gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]▶

We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?

replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #

palmfacehn ◴[16 Sep 25 11:52 UTC] No.45260982[source]▶

>>45260844 #

Apparently Maven has 61.9M indexed packages. As Java has a decent standard lib, mini libs like leftpad are not contributing to this count. NPM has 3.1M packages. Many are trivially simple. Those stats would suggest that NPM has disproportionately more issues than other services.

I would argue that is only one of the many issues with the JS/TS/NPM ecosystem. Many of the other problems have been normalized. The constant security issues are highly visible.

replies(2): >>45261095 #>>45261160 #

jsiepkes ◴[16 Sep 25 12:10 UTC] No.45261160[source]▶

>>45260982 #

> Apparently Maven has 61.9M indexed packages.

Where did you see that number? Maven central says it has about 18 million [1] packages. Maybe with all versions of those 18 million packages there are about 62 million artifacts?

While the Java ecosystem is vastly larger, in Java (with Maven, Gradle, Bazel, etc.) it is not common to use really small libraries. So you end up with vastly less transitive dependencies in your projects.

[1] https://mvnrepository.com/repos/central

replies(1): >>45261262 #