←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.43s | source
Show context
redbell ◴[16 Sep 25 13:19 UTC] No.45261876[source]
Related (7 days ago):

NPM debug and chalk packages compromised (1366 points, 754 comments): https://news.ycombinator.com/item?id=45169657

replies(2): >>45262033 #>>45263493 #
xrisk ◴[16 Sep 25 13:32 UTC] No.45262033[source]
Seems to be a separate incident?
replies(1): >>45262336 #
1. nine_k ◴[16 Sep 25 13:56 UTC] No.45262336[source]
Separate? Yes. Unrelated? Hard to tell.
replies(1): >>45264702 #
2. junon ◴[16 Sep 25 16:49 UTC] No.45264702[source]
It's unrelated in every observable technical way, but related in that it's a bit crazy how often this is happening to npm lately.

I'm glad it wasn't this particular attack that hit me last week.