(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.204s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

oVerde ◴[16 Sep 25 11:51 UTC] No.45260975[source]▶

>>45260954 #

So basically you live JavaScript free?

replies(4): >>45260998 #>>45261034 #>>45261487 #>>45261734 #

Xelbair ◴[16 Sep 25 11:57 UTC] No.45261034[source]▶

>>45260975 #

as much as i can yes.

I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself.

replies(3): >>45261071 #>>45261213 #>>45261604 #

hoppp ◴[16 Sep 25 12:57 UTC] No.45261604[source]▶

>>45261034 #

Lucky you. I keep coming back to it because jobs and even for desktop apps a native webview beats everything else.

We fcked up with js, big time and its with us forever now

replies(3): >>45261698 #>>45261995 #>>45281955 #

sfn42 ◴[16 Sep 25 13:29 UTC] No.45261995[source]▶

>>45261604 #

I was hyped for wasm because i thought it was supposed to solve this problem, allowing any programming language to be compiled to run in browsers.

But apparently they only made it do like 95% of what JS does so you can't actually replace js with it. To me it seems like a huge blunder. I don't give a crap about making niche applications a bit faster, but freeing the web from the curse of JS would be absolutely huge. And they basically did it except not quite. It's so strange to me, why not just go the extra 5%?

replies(3): >>45262081 #>>45265200 #>>45272185 #

1. hoppp ◴[16 Sep 25 13:36 UTC] No.45262081[source]▶

>>45261995 #

Maybe its something about sharing memory with the js that would introduce serious vulnerabilities so they can't let wasm code have access to everything.

The only way to remove Js is to create a new browser that doesn't use it. Fragments the web, yes and probably nobody will use it

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised