←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.203s | source
Show context
cddotdotslash ◴[16 Sep 25 13:31 UTC] No.45262019[source]
I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.

Aikido says: > We were alerted to a large-scale attack against npm...

Socket says: > Socket.dev found compromised various CrowdStrike npm packages...

Ox says: > Attackers slipped malicious code into new releases...

Safety says: > The Safety research team has identified an attack on the NPM ecosystem...

Phoenix says: > Another supply chain and NPM maintainer compromised...

Semgrep says: > We are aware of a number of compromised npm packages

replies(6): >>45262042 #>>45262074 #>>45262368 #>>45262518 #>>45263064 #>>45263487 #
1. jamesberthoty ◴[16 Sep 25 13:35 UTC] No.45262074[source]
Several individual developers seem to have noticed it at around the same time with Step and Socket pointing to different people in their blogs.

And then vendors from Socket, Aikido, and Step all seem to have detected it via their upstream malware detection feeds - Socket and Aikido do AI code analysis, and Step does eBPF monitoring of build pipelines. I think this was widespread enough it was noticed by several people.