(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]▶

>>45260741 (OP) #

We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?

replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #

karel-3d ◴[16 Sep 25 12:19 UTC] No.45261245[source]▶

>>45260844 #

There is a guy (ljharb) who is literally on TC39 - JavaScript specification committee - who is maintaining like 600 packages full of polyfills/dependencies/utilities.

It's just javascript being javascript.

replies(3): >>45261506 #>>45262656 #>>45262735 #

1. Sammi ◴[16 Sep 25 12:47 UTC] No.45261506[source]▶

>>45261245 #

There was a huge uproar about that guy specifically and deep dependency graphs in general a year ago. A lot has already changed for lots of the popular frameworks and libraries. Dependency graphs are already much slimmer. The cultural change is happening, but we can't expect it to happen all at once.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised