←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 7 comments | 16 Sep 25 11:22 UTC | HN request time: 0.001s | source | bottom
Show context
codemonkey-zeta ◴[16 Sep 25 11:56 UTC] No.45261026[source]
I'm coming to the unfortunate realizattion that supply chain attacks like this are simply baked into the modern JavaScript ecosystem. Vendoring can mitigate your immediate exposure, but does not solve this problem.

These attacks may just be the final push I needed to take server rendering (without js) more seriously. The HTMX folks convinced me that I can get REALLY far without any JavaScript, and my apps will probably be faster and less janky anyway.

replies(18): >>45261086 #>>45261121 #>>45261140 #>>45261165 #>>45261220 #>>45261265 #>>45261285 #>>45261457 #>>45261571 #>>45261702 #>>45261970 #>>45262601 #>>45262619 #>>45262851 #>>45267210 #>>45268405 #>>45269073 #>>45273081 #
tarruda ◴[16 Sep 25 12:11 UTC] No.45261165[source]
AFAICT, the only thing this attack relies on, is the lack of scrutiny by developers when adding new dependencies.

Unless this lack of scrutiny is exclusive to JavaScript ecosystem, then this attack could just as well have happened in Rust or Golang.

replies(6): >>45261185 #>>45261224 #>>45261255 #>>45262968 #>>45267488 #>>45274187 #
hsbauauvhabzb ◴[16 Sep 25 12:13 UTC] No.45261185[source]
JavaScript does have some pretty insane dependency trees. Most other languages don’t have anywhere near that level of nestedness.
replies(4): >>45261308 #>>45261471 #>>45261685 #>>45261896 #
cxr ◴[16 Sep 25 12:45 UTC] No.45261471[source]
It's not possible for a language to have an insane dependency tree. That's an attribute of a codebase.
replies(2): >>45262259 #>>45262954 #
WD-42 ◴[16 Sep 25 13:49 UTC] No.45262259[source]
Maybe the language should have a standard library then.
replies(1): >>45262486 #
1. skydhash ◴[16 Sep 25 14:10 UTC] No.45262486[source]
C library is smaller than Node.js (you won’t have HTTP). What C have is much more respectable libraries. If you add libcurl or freetype to your project, it won’t pull the whole jungle with them.
replies(2): >>45263387 #>>45266734 #
2. int_19h ◴[16 Sep 25 15:10 UTC] No.45263387[source]
What C doesn't have is an agreed-upon standard package manager. Which means that any dependency - including transitive ones! - requires some effort on behalf of the developer to add to the build. And that, in turn, puts pressure on library authors to avoid dependencies other than a few well-established libraries (like libpng or GLib),
3. koakuma-chan ◴[16 Sep 25 19:25 UTC] No.45266734[source]
You can add curl to a Rust project too.
replies(1): >>45270294 #
4. aakkaakk ◴[17 Sep 25 01:01 UTC] No.45270294[source]
But why, when reqwest is enough for 99% of cases.
replies(3): >>45270603 #>>45278194 #>>45281451 #
5. koakuma-chan ◴[17 Sep 25 01:45 UTC] No.45270603{3}[source]
It's bloated.
6. WD-42 ◴[17 Sep 25 16:42 UTC] No.45278194{3}[source]
It requires Tokio, and believe it or not there are actual cases for non-async rust. So you can't use it in that case.
7. bigstrat2003 ◴[17 Sep 25 21:11 UTC] No.45281451{3}[source]
Because it requires using async, and for most programs async is not worth the extra effort (plus very heavy dependency in the form of Tokio).