(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.443s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

Show context

GuB-42 ◴[16 Sep 25 13:01 UTC] No.45261656[source]▶

> Shai Hulud

Clever name... but I would have expected malware authors to be a bit less obvious. They literally named their giant worm after a giant worm.

> At the core of this attack is a ~3.6MB minified bundle.js file

Yep, even malware can be bloated. That's in the spirit of NPM I guess...

1. jsheard ◴[16 Sep 25 13:03 UTC] No.45261672[source]▶

I suppose it's only a matter of time before one of these supply chain attacks unintentionally pulls in a second, unrelated supply chain attack.

replies(1): >>45268849 #

2. beeflet ◴[16 Sep 25 22:09 UTC] No.45268849[source]▶

fish grow to the meet the size of the fishbowl

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised