Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

homebrewer ◴[16 Sep 25 12:14 UTC] No.45261199[source]▶

>>45260741 (OP) #

When the left-pad debacle happened, one commenter here said of a well known npm maintainer something to the effect of that he's an "author of 600 npm packages, and 1200 lines of JavaScript".

Not much has changed since then. The best counter-example I know is esbuild, which is a fully featured bundler/minifier/etc that has zero external dependencies except for the Go stdlib + one package maintained by the Go project itself:

https://www.npmjs.com/package/esbuild?activeTab=dependencies

https://github.com/evanw/esbuild/blob/755da31752d759f1ea70b8...

Other "next generation" projects are trading one problematic ecosystem for another. When you study dependency chains of e.g. biomejs and swc, it looks pretty good:

https://www.npmjs.com/package/@biomejs/biome/v/latest?active...

https://www.npmjs.com/package/@swc/types?activeTab=dependenc...

Replacing the tire fire of eslint (and its hundreds to low thousands of dependencies) with zero of them! Very encouraging, until you find the Rust source:

https://github.com/biomejs/biome/blob/a0039fd5457d0df18242fe...

https://github.com/swc-project/swc/blob/6c54969d69551f516032...

I think as these projects gain more momentum, we will see similar things cropping up in the cargo ecosystem.

Does anyone know of other major projects written in as strict a style as esbuild?

replies(6): >>45261429 #>>45261662 #>>45261809 #>>45264078 #>>45267771 #>>45267783 #

1. zelphirkalt ◴[16 Sep 25 13:02 UTC] No.45261662[source]▶

>>45261199 #

The answer is to not draw in dependencies for things you are easily able to write yourself. That would probably reduce dependencies by 2/3 or so in many projects. Especially, left-pad things. If you write properly self contained small parts and a few tests, you probably don't have to touch them much, and the maintenance burden is not that high. Compare that with having to check every little dependency like left pad and all its code and its dependencies. If a dependency is not strictly necessary, then don't do it.

replies(1): >>45274228 #

2. user34283 ◴[17 Sep 25 11:02 UTC] No.45274228[source]▶

>>45261662 (TP) #

That's not an answer at all. Jest alone adds 300 packages.

Why don't you share with us what your project does and how many packages are present?

replies(1): >>45274378 #

3. zelphirkalt ◴[17 Sep 25 11:21 UTC] No.45274378[source]▶

>>45274228 #

My current project? Not sure what that has to do with the discussion, but my current project uses only a tiny bit of JS and has a fallback for users who don't run JS. It is a few pages taking a file to upload and the all the actual sauce is in the backend, and it is rendering templates.

So I simply avoid the whole problem altogether in my current project. But aside from the JS stuff, the backend is in Python and I avoid adding dependencies from PyPI wherever possible. For example I had the choice of going with Pydantic and dataclasses and whatnot, but I resisted that, and came up with a quite minimalistic way to type check JSON documents, that is contained in one short module and easily extensible. Does it go to the same length as pydantic? No, it doesn't. If it did, I would be a genious. But it is quite sufficient for type safety in my project.

Keeping things simple is possible, if we set our minds to it. Sometimes one cannot avoid a big dependency, sure, but in many cases we actually can! We just need to beat that beast of habit of quickly adding a familiar dependency without thinking about the cost.

replies(1): >>45274537 #

4. user34283 ◴[17 Sep 25 11:39 UTC] No.45274537{3}[source]▶

>>45274378 #

So you're not using the npm ecosystem at all.

Surely you see how that might be relevant to the discussion where you appeared to give advice on how to solve the npm dependency graph problem.

That you're not using npm or other node package managers at all is the key information here. Not that it's invalid, but it's a very different setup.

replies(1): >>45275650 #

5. zelphirkalt ◴[17 Sep 25 13:34 UTC] No.45275650{4}[source]▶

>>45274537 #

It's not like I haven't worked on projects using NPM before ... Where I avoided adding dependencies willy-nilly. So trying to pin me on my current one project, disregarding any previous experience is quite a faulty argumentation, that doesn't invalidate anything I wrote.

replies(1): >>45275860 #

6. user34283 ◴[17 Sep 25 13:51 UTC] No.45275860{5}[source]▶

>>45275650 #

Adding a single dependency on one popular package - such as Jest - can add 300 packages.

I am not convinced you ever checked how many packages were actually present in your projects, as you shared no specifics.

I assume you just did not check, and may have had hundreds of packages installed despite avoiding adding dependencies willy-nilly. This invalidates your suggestion.

↑