←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 6 comments | 16 Sep 25 11:22 UTC | HN request time: 0.756s | source | bottom
1. quotemstr ◴[16 Sep 25 13:20 UTC] No.45261879[source]
Jesus Christ. Another one? What the fuck?

This isn't a JavaScript problem. What, structurally, stops the same thing happening to PyPI? Or the Rust ecosystem? Or Lisp via QuickLisp? Or CPAN?

This whole mess was foreseeable. So what's to be done?

Look. Any serious project needs to start vendoring its dependencies. People should establish big, coarse grained meta-distributions like C++ Boost that come from a trustable authority and that get updated infrequently enough that you can keep up with release notes.

replies(4): >>45262641 #>>45263099 #>>45263169 #>>45264740 #
2. lyu07282 ◴[16 Sep 25 14:22 UTC] No.45262641[source]
Rust was hit by a similar attempt: https://github.com/rust-lang/crates.io/discussions/11889

Nothing much came of it, I don't know.

3. fulafel ◴[16 Sep 25 14:51 UTC] No.45263099[source]
They were new versions of the packages instead of modified existing ones so vendoring has the same effect as the usual practice of pinning npm deps and using npm ci, I think.
4. perlgeek ◴[16 Sep 25 14:55 UTC] No.45263169[source]
> This isn't a JavaScript problem. What, structurally, stops the same thing happening to PyPI? Or the Rust ecosystem? Or Lisp via QuickLisp? Or CPAN?

For one, NPM has a really sprawling ecosystem where it's normal to have many dependencies.

I remember that I once tried to get started with angular, and I did an "init" for an empty project and "compile", and suddenly had half a gigabyte of code lying in my directory.

This means that there is a high number of dependencies that are potential targets for a supply chain attack.

I just took a look at our biggest JS/Typescript project at work, it comes in at > 1k (recursive) NPM dependencies. Our biggest Python project has 78 recursive dependencies. They are of comparable size in terms of lines of code and total development time.

Why? Differences in culture, as well as python coming with more "batteries included", so there's less need for small dependencies.

replies(1): >>45265445 #
5. lycopodiopsida ◴[16 Sep 25 16:51 UTC] No.45264740[source]
> Or Lisp via QuickLisp

Common Lisp is not worth it - you are unlikely to hit any high-value production target, there are not many uses and they are tech-savy. Good for us, the 5 remaining users. Also, Quicklisp is not rolling-release, it is a snapshot done one or two times a year.

6. quotemstr ◴[16 Sep 25 17:48 UTC] No.45265445[source]
> For one, NPM has a really sprawling ecosystem where it's normal to have many dependencies.

Agreed, but it's a difference of degree (literally --- graph in- and out-degree) not kind.