←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 2.289s | source
1. redbell ◴[16 Sep 25 13:19 UTC] No.45261876[source]
Related (7 days ago):

NPM debug and chalk packages compromised (1366 points, 754 comments): https://news.ycombinator.com/item?id=45169657

replies(2): >>45262033 #>>45263493 #
2. xrisk ◴[16 Sep 25 13:32 UTC] No.45262033[source]
Seems to be a separate incident?
replies(1): >>45262336 #
3. nine_k ◴[16 Sep 25 13:56 UTC] No.45262336[source]
Separate? Yes. Unrelated? Hard to tell.
replies(1): >>45264702 #
4. flanbiscuit ◴[16 Sep 25 15:18 UTC] No.45263493[source]
Related in that this is another, separate, attack on npm.

No direct relation to the specific attack on debug/chalk/error-ex/etc that happened 7 days ago.

The article states that this is the same attackers that got control of the "nx" packages on August 27th, which didn't really get a lot of traction on HN when it happened: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...

5. junon ◴[16 Sep 25 16:49 UTC] No.45264702{3}[source]
It's unrelated in every observable technical way, but related in that it's a bit crazy how often this is happening to npm lately.

I'm glad it wasn't this particular attack that hit me last week.