←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 4 comments | 16 Sep 25 11:22 UTC | HN request time: 0.541s | source
1. pingou ◴[16 Sep 25 13:07 UTC] No.45261719[source]
As a developer, is there a way on mac to limit npm file access to the specific project? So that if you install a compromised package it cannot access any data outside of your project directory?
replies(3): >>45261765 #>>45263796 #>>45269698 #
2. mfro ◴[16 Sep 25 13:10 UTC] No.45261765[source]
Frankly, I am refusing to use npm outside of docker anymore.
3. freakynit ◴[16 Sep 25 15:43 UTC] No.45263796[source]
Wrote a small utility shell script that uses docker behind the scenes to prevent access to your host machine while still allowing full npm install and run workflow.

https://github.com/freakynit/simple-npm-sandbox

Disclaimer: I am not Docker expert. Please review the script (sandbox.js) and raise any potential issues or suggestions.

Thanks..

4. tredre3 ◴[16 Sep 25 23:34 UTC] No.45269698[source]
You can run nodejs through `sandbox-exec` which is part of macos.

I've never tried any of them but there's also a few wrappers specifically to do that, such as: https://github.com/berstend/node-safe

Otherwise you're down to docker or virtualisation or creating one system user per project...