Most active commenters

    ←back to thread

    Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

    (socket.dev)
    1208 points jamesberthoty | 25 comments | 16 Sep 25 11:22 UTC | HN request time: 2.393s | source | bottom
    1. cddotdotslash ◴[16 Sep 25 13:31 UTC] No.45262019[source]
    I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.

    Aikido says: > We were alerted to a large-scale attack against npm...

    Socket says: > Socket.dev found compromised various CrowdStrike npm packages...

    Ox says: > Attackers slipped malicious code into new releases...

    Safety says: > The Safety research team has identified an attack on the NPM ecosystem...

    Phoenix says: > Another supply chain and NPM maintainer compromised...

    Semgrep says: > We are aware of a number of compromised npm packages

    replies(6): >>45262042 #>>45262074 #>>45262368 #>>45262518 #>>45263064 #>>45263487 #
    2. augzodia ◴[16 Sep 25 13:33 UTC] No.45262042[source]
    OP article says: > The incident was discovered by @franky47, who promptly notified the community through a GitHub issue.
    replies(1): >>45262782 #
    3. jamesberthoty ◴[16 Sep 25 13:35 UTC] No.45262074[source]
    Several individual developers seem to have noticed it at around the same time with Step and Socket pointing to different people in their blogs.

    And then vendors from Socket, Aikido, and Step all seem to have detected it via their upstream malware detection feeds - Socket and Aikido do AI code analysis, and Step does eBPF monitoring of build pipelines. I think this was widespread enough it was noticed by several people.

    4. m4r71n ◴[16 Sep 25 13:58 UTC] No.45262368[source]
    Since so many vendors discovered these packages seemingly independently, you'd think that they would share those mechanisms with NPM itself so that those packages would never be published in the first place. But I guess that removes their ability to sell an "early alert" mechanism through their offerings...
    replies(1): >>45262594 #
    5. ◴[16 Sep 25 14:13 UTC] No.45262518[source]
    6. progbits ◴[16 Sep 25 14:19 UTC] No.45262594[source]
    NPM is owned by github/microsoft. I'm sure they could afford to buy one of these products or just build their own, but clearly security is not a thing they care about.
    replies(3): >>45262772 #>>45263297 #>>45264527 #
    7. codazoda ◴[16 Sep 25 14:31 UTC] No.45262772{3}[source]
    Somehow I didn't realize GitHub purchased npm in 2020. GitHub is the second word on npmjs.org. How did I not notice?
    replies(1): >>45263412 #
    8. codazoda ◴[16 Sep 25 14:32 UTC] No.45262782[source]
    Points to this, which does look like the first mention.

    https://github.com/scttcper/tinycolor/issues/256

    9. advocatemack ◴[16 Sep 25 14:48 UTC] No.45263064[source]
    Mackenzie here I work for Aikido. This is a classic example of the security community all playing a part. The very first notice of this was from a developer named Daniel Pereira. He alerted Socket who did the first review of the Malware and discovered 40 packages. After, Aikido discovered an additional 147 packages and the Crowdstrike packages. I'm not sure how Step found it but they were the first to really understand the malware and that it was a self replicating worm. So multiple parties all playing a part kinda independent. Its pretty cool
    replies(1): >>45269054 #
    10. foobarbecue ◴[16 Sep 25 15:04 UTC] No.45263297{3}[source]
    Can't help noticing, in the original article:

    > The entire attack design assumes Linux or macOS execution environments, checking for os.platform() === 'linux' || 'darwin'. It deliberately skips Windows systems

    If I were the conspiracy-minded sort I might jump to some wild conclusions here.

    replies(2): >>45264766 #>>45266148 #
    11. octo888 ◴[16 Sep 25 15:12 UTC] No.45263412{4}[source]
    Microsoft: GitHub, NPM, typescript, VS Code, OpenAI, Playwright

    A lot of fingers in a lot pies

    replies(2): >>45266053 #>>45267822 #
    12. Onavo ◴[16 Sep 25 15:18 UTC] No.45263487[source]
    Usually security companies monitor CVEs and the security mailing lists. That's how they all end up releasing the blog posts at the same time. It's because they are all using the same primary source.
    13. kjok ◴[16 Sep 25 16:35 UTC] No.45264527{3}[source]
    Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR.
    replies(1): >>45274026 #
    14. acomjean ◴[16 Sep 25 16:53 UTC] No.45264766{4}[source]
    I’m using windows again. By default windows has “power shell” which is not at all like bash and is (how do I say this diplomatically)… wanting.

    I mean it says something the developed the Linux Subsystem for Windows, but it’s an optional install.

    replies(3): >>45265934 #>>45266823 #>>45267625 #
    15. jahsome ◴[16 Sep 25 18:26 UTC] No.45265934{5}[source]
    What dont you like about powershell?

    I'm a die hard linux user, and some years ago took a windows gig on a whim. I find powershell fantastic and the only thing that makes my role bearable. Now, one of the first things i install on Linux is powershell.

    replies(1): >>45267838 #
    16. LPisGood ◴[16 Sep 25 18:34 UTC] No.45266053{5}[source]
    I believe someone working there once said “Developers, developers, developers, developers, developers!
    17. chatmasta ◴[16 Sep 25 18:42 UTC] No.45266148{4}[source]
    Whoever made the exploit probably doesn’t use windows.
    18. stockresearcher ◴[16 Sep 25 19:30 UTC] No.45266823{5}[source]
    I watched an interview with Jeff Snover once and he said that they tried to make a unixy bash-like shell a few times and decided it was never going to fit in Windows. So they went a different way and took a lot of inspiration from OpenVMS.

    So don’t expect PowerShell to be like a UNIX shell. It isn’t, and wasn’t meant to be one. It’s different, on purpose :)

    19. vips7L ◴[16 Sep 25 20:34 UTC] No.45267625{5}[source]
    Powershell is amazing. Just don't expect it to be posix. Using objects and structured data is leagues better than string parsing in posix shells imo.
    20. philipwhiuk ◴[16 Sep 25 20:48 UTC] No.45267822{5}[source]
    Also LinkedIn
    21. philipwhiuk ◴[16 Sep 25 20:49 UTC] No.45267838{6}[source]
    The awk equivalents in power-shell are horrific.
    replies(1): >>45271737 #
    22. sauercrowd ◴[16 Sep 25 22:27 UTC] No.45269054[source]
    question how does your product help in these situations? I imagine it'd require for someone to report a compromised package, and then you guys could detect it in my codebase?
    replies(1): >>45273990 #
    23. jahsome ◴[17 Sep 25 04:40 UTC] No.45271737{7}[source]
    You don't find awk itself horrific in its own way?
    24. singulasar ◴[17 Sep 25 10:25 UTC] No.45273990{3}[source]
    Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.

    The easiest way for you to use our product to be protected is actually using one of our free open source tools. https://www.npmjs.com/package/@aikidosec/safe-chain

    This is a wrapper around npm etc that will prevent you from installing malware

    25. singulasar ◴[17 Sep 25 10:29 UTC] No.45274026{4}[source]
    on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.

    MS doesn't care