Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

epolanski ◴[16 Sep 25 12:07 UTC] No.45261124[source]▶

>>45260954 #

"I knew you weren't a great engineer the moment you started pulling dependencies for a simple app"

You realize my point right? People are taught to not reinvent the wheel at work (mostly for good reasons) so that's what they do, me and you included.

You ain't gonna be bothered to write html and manual manipulation, the people that will give you libraries to do so won't be bothered reimplementing parsers and file watchers, file watcher writers won't be bothered reimplementing file system utils, file system utils developers won't be bothered reimplementing structured cloning or event loops, etc, etc.

I myself just the other day had the task of converting HTML to markdown, because I don't remember whether it was Jira or Github APIs that returns comments as HTML and despite it being mostly few hours of work that would get us 90% there everybody was in favor of pulling a dependency to do so (with its own dependencies) and thus further exposing our application to those risks.

replies(1): >>45261333 #

komali2 ◴[16 Sep 25 12:27 UTC] No.45261333[source]▶

>>45261124 #

Pause, you could write an HTML to markdown library in half a day? Like, 4 hours? Or 12? Either way damn

replies(1): >>45261344 #

epolanski ◴[16 Sep 25 12:29 UTC] No.45261344[source]▶

>>45261333 #

One that gets me 90% there would take me few hours, one that gets me 99% there few months, which is why eventually people would rather pull a dependency.

replies(1): >>45261442 #

williamcotton ◴[16 Sep 25 12:41 UTC] No.45261442[source]▶

>>45261344 #

Or about 15 minutes with an LLM?

https://github.com/williamcotton/markdown-to-html-llm

;)

replies(2): >>45261661 #>>45262461 #

neilv ◴[16 Sep 25 13:02 UTC] No.45261661[source]▶

>>45261442 #

In less time than that, you could `git clone` the desired open source package, and text search & replace the author's name with your own.

replies(1): >>45261742 #

1. williamcotton ◴[16 Sep 25 13:08 UTC] No.45261742{3}[source]▶

>>45261661 #

And then still be subject to supply-chain attacks with all of the dependencies in whatever open source package you're cloning?

replies(1): >>45263358 #

2. xrisk ◴[16 Sep 25 15:08 UTC] No.45263358[source]▶

>>45261742 (TP) #

you are aware that the app you just wrote with Claude pulls in dependencies, yes?

replies(1): >>45263478 #

3. williamcotton ◴[16 Sep 25 15:17 UTC] No.45263478[source]▶

>>45263358 #

Not for the parser, only for the demo server! And I guess the dev dependencies as well, but with a much smaller surface area. But yeah, I don't think a TypeScript compiler is within the scope of an LLM.

↑