Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0.524s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

oVerde ◴[16 Sep 25 11:51 UTC] No.45260975[source]▶

>>45260954 #

So basically you live JavaScript free?

replies(4): >>45260998 #>>45261034 #>>45261487 #>>45261734 #

Xelbair ◴[16 Sep 25 11:57 UTC] No.45261034[source]▶

>>45260975 #

as much as i can yes.

I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself.

replies(3): >>45261071 #>>45261213 #>>45261604 #

diggan ◴[16 Sep 25 12:01 UTC] No.45261071[source]▶

>>45261034 #

Off-topic, but I love how different programmers think about things, and how nothing really is "correct" or "incorrect". Started thinking about it because for me it's the opposite, JS is an OK and at least usable language, as long as you avoid TS and all that comes with it.

Still, even I who'd call myself a JavaScript developer also try to avoid desktop applications made with just JS :)

replies(2): >>45261241 #>>45262323 #

Xelbair ◴[16 Sep 25 12:19 UTC] No.45261241[source]▶

>>45261071 #

JS's issue is that it allows you to run an objectively wrong code without throwing explicit error to the user, it just fails silently or does something magical. Seems innocent, until you realize what we use JS for, other than silly websites or ERP dashboards.

It is full of gotchas that serves 0 purpose nowadays.

Also remember that it is basically a Lisp wearing Java skin on top, originally designed in less than 2 weeks.

Typescript is one of few things that puts safety barrier and sane static error checking that makes JS bearable to use - but it still has to fall down to how JS works in the end so it suffers from same core architectural problems.

replies(1): >>45261314 #

1. diggan ◴[16 Sep 25 12:26 UTC] No.45261314[source]▶

>>45261241 #

> JS's issue is that it allows you to run an objectively wrong code without throwing explicit error to the user, it just fails silently or does something magical. Seems innocent, until you realize what we use JS for, other than silly websites or ERP dashboards.

What some people see as a fault, others see as a feature :) For me, that's there to prevent entire websites from breaking because some small widget in the bottom right corner breaks, for example. Rather than stopping the entire runtime, it just surfaces that error in the developer tools, but lets the rest to continue working.

Then of course entire web apps crash because one tiny error somewhere (remember seeing a blank page with just some short error text in black in the middle? Those), but that doesn't mean that's the best way of doing things.

> Also remember that it is basically a Lisp wearing Java skin on top

I guess that's why I like it better than TS, that tries to move it away from that. I mainly do Clojure development day-to-day, and static types hardly ever gives me more "safety" than other approaches do. But again, what I do isn't more "correct" than what anyone else does, it's largely based on "It's better for me to program this way".

replies(2): >>45261377 #>>45272105 #

2. Xelbair ◴[16 Sep 25 12:33 UTC] No.45261377[source]▶

>>45261314 (TP) #

>it's there to prevent entire websites from breaking because some small widget in the bottom right corner breaks, for example.

the issue is that it prevents that, but also allows you to send complete corrupt data forward, that can create horrible cascade of errors down the pipeline - because other components made assumption about correctness of data passed to them.

Such display errors should be caught early in development, should be tested, and should never reach prod, instead of being swept under the rug - for anything else other than prototype.

but i agree - going fully functional with dynamic types beats average JS experience any day. It is just piling up more mud upon giant mudball,

3. joquarky ◴[17 Sep 25 05:33 UTC] No.45272105[source]▶

>>45261314 (TP) #

IME, JSDoc is sufficient for type checking.

TS is just too much overhead for the marginal gains.

↑