←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0.003s | source
Show context
philipwhiuk ◴[16 Sep 25 12:07 UTC] No.45261128[source]
post-install seems like it shouldn't be necessary anyway, let alone need shell access. What are legitimate JS packages using this for?
replies(4): >>45261294 #>>45261367 #>>45261717 #>>45262695 #
1. eknkc ◴[16 Sep 25 12:32 UTC] No.45261367[source]
Does that even matter?

The malware could have been a JS code injected into the module entry point itself. As soon as you execute something that imports the package (which, you did install for a reason) the code can run.

I don't think that many people sandbox their development environments.

replies(1): >>45263142 #
2. theodorejb ◴[16 Sep 25 14:54 UTC] No.45263142[source]
It absolutely matters. Many people install packages for front-end usage which would only be imported in the browser sandbox. Additionally, a package may be installed in a dev environment for inspection/testing before deciding whether to use it in production.

To me it's quite unexpected/scary that installing a package on my dev machine can execute arbitrary code before I ever have a chance to inspect the package to see whether I want to use it.

replies(1): >>45263260 #
3. eknkc ◴[16 Sep 25 15:01 UTC] No.45263260[source]
I've been using pnpm and it does not run lifecycle scripts by default. Asks for confirmation and creates a whitelist if you allow things. Might be the better default.