←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 0.706s | source
1. GuB-42 ◴[16 Sep 25 13:01 UTC] No.45261656[source]
> Shai Hulud

Clever name... but I would have expected malware authors to be a bit less obvious. They literally named their giant worm after a giant worm.

> At the core of this attack is a ~3.6MB minified bundle.js file

Yep, even malware can be bloated. That's in the spirit of NPM I guess...

replies(2): >>45261672 #>>45262396 #
2. jsheard ◴[16 Sep 25 13:03 UTC] No.45261672[source]
I suppose it's only a matter of time before one of these supply chain attacks unintentionally pulls in a second, unrelated supply chain attack.
replies(1): >>45268849 #
3. whynotmaybe ◴[16 Sep 25 14:02 UTC] No.45262396[source]
Malwares have to follow Moore's law, tequila virus was ~2.6kb in 1991.
replies(1): >>45273741 #
4. beeflet ◴[16 Sep 25 22:09 UTC] No.45268849[source]
fish grow to the meet the size of the fishbowl
5. arccy ◴[17 Sep 25 09:45 UTC] No.45273741[source]
not quite moore's law, growth at only 1.226x per year