Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 4.878s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

codemonkey-zeta ◴[16 Sep 25 11:56 UTC] No.45261026[source]▶

>>45260741 (OP) #

I'm coming to the unfortunate realizattion that supply chain attacks like this are simply baked into the modern JavaScript ecosystem. Vendoring can mitigate your immediate exposure, but does not solve this problem.

These attacks may just be the final push I needed to take server rendering (without js) more seriously. The HTMX folks convinced me that I can get REALLY far without any JavaScript, and my apps will probably be faster and less janky anyway.

replies(18): >>45261086 #>>45261121 #>>45261140 #>>45261165 #>>45261220 #>>45261265 #>>45261285 #>>45261457 #>>45261571 #>>45261702 #>>45261970 #>>45262601 #>>45262619 #>>45262851 #>>45267210 #>>45268405 #>>45269073 #>>45273081 #

reactordev ◴[16 Sep 25 12:16 UTC] No.45261220[source]▶

>>45261026 #

Until you go get malware

Supply chain attacks happen at every layer where there is package management or a vector onto the machine or into the code.

What NPM should do if they really give a shit is start requiring 2FA to publish. Require a scan prior to publish. Sign the package with hard keys and signature. Verify all packages installed match signatures. Semver matching isn’t enough. CRC checks aren’t enough. This has to be baked into packages and package management.

replies(6): >>45261275 #>>45261601 #>>45261616 #>>45261805 #>>45262090 #>>45263276 #

1. floydnoel ◴[16 Sep 25 13:14 UTC] No.45261805[source]▶

>>45261220 #

NPM does require 2FA to publish. I would love a workaround! Isn't it funny that even here on HN, misinformation is constantly being spread?

replies(3): >>45262306 #>>45268926 #>>45271279 #

2. cxr ◴[16 Sep 25 13:53 UTC] No.45262306[source]▶

>>45261805 (TP) #

NPM does not require two-factor authentication. If two-factor authentication is enabled for your account and you wish to disable it, this explains how to do that if allowed by your organization:

<https://docs.npmjs.com/configuring-two-factor-authentication...>

replies(1): >>45264888 #

3. bakkoting ◴[16 Sep 25 17:02 UTC] No.45264888[source]▶

>>45262306 #

It doesn't require 2FA in general, but it does for people with publish rights for popular packages, which covers most or all of the recent security incidents.

https://github.blog/changelog/2022-11-01-high-impact-package...

4. olejorgenb ◴[16 Sep 25 22:15 UTC] No.45268926[source]▶

>>45261805 (TP) #

> The malware includes a self-propagation mechanism through the NpmModule.updatePackage function. This function queries the NPM registry API to fetch up to 20 packages owned by the maintainer, then force-publishes patches to these packages.

5. yawaramin ◴[17 Sep 25 03:26 UTC] No.45271279[source]▶

>>45261805 (TP) #

npm offers 2FA but it doesn't really advertise that it has a phishing-resistant 2FA (security keys, aka passkeys, aka WebAuthn) available and just happily lets you go ahead and use a very phishable OTP if you want. I place much of the blame for publishers getting phished on npm.

↑