←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 7 comments | 16 Sep 25 11:22 UTC | HN request time: 0.809s | source | bottom
Show context
Meneth ◴[16 Sep 25 12:25 UTC] No.45261303[source]
This happens because there's no auditing of new packages or versions. The distro's maintainer and the developer is the same person.

The general solution is to do what Debian does.

Keep a stable distro where new packages aren't added and versions change rarely (security updates and bugfixes only, no new functionality). This is what most people use.

Keep a testing/unstable distro where new packages and new versions can be added, but even then added only by the distro maintainer, NOT by the package developers. This is where the audits happen.

NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

replies(25): >>45261528 #>>45261617 #>>45261792 #>>45262591 #>>45262655 #>>45262978 #>>45263089 #>>45263137 #>>45263570 #>>45263728 #>>45264113 #>>45264189 #>>45265297 #>>45266032 #>>45266873 #>>45267343 #>>45268626 #>>45268669 #>>45269007 #>>45269777 #>>45270131 #>>45270753 #>>45272097 #>>45273282 #>>45273471 #
1. SkiFire13 ◴[16 Sep 25 14:19 UTC] No.45262591[source]
> Keep a stable distro where new packages aren't added and versions change rarely (security updates and bugfixes only, no new functionality). This is what most people use.

Unfortunately most people don't want old software that doesn't support newer hardware so most people don't end up using Debian stable.

replies(5): >>45263830 #>>45263936 #>>45264687 #>>45267821 #>>45269435 #
2. bpt3 ◴[16 Sep 25 15:45 UTC] No.45263830[source]
What hardware isn't supported by Debian stable that is supported by unstable?

Or is this just a "don't use Linux" gripe?

replies(1): >>45268074 #
3. lenerdenator ◴[16 Sep 25 15:53 UTC] No.45263936[source]
It'd be interesting to see how much of the world runs on Debian containers, where most of the whole "it doesn't support my insert consumer hardware here" argument is completely moot.
4. veber-alex ◴[16 Sep 25 16:47 UTC] No.45264687[source]
I don't know why you went with hardware.

Most people don't want old software because they don't want old software.

They want latest features, fixes and performance improvements.

5. nzeid ◴[16 Sep 25 20:48 UTC] No.45267821[source]
Enable the Backport sources. The recent kernels there have supported all my modern personal devices.
6. BoredPositron ◴[16 Sep 25 21:08 UTC] No.45268074[source]
I haven't had much problems prior but Blackwell support was really buggy for the first two weeks.
7. dmitrygr ◴[16 Sep 25 23:05 UTC] No.45269435[source]
> Unfortunately most people don't want old software

"old" is a strange way to spell "new, unstable, and wormed".

I want old software. Very little new features are added to most things i care about, mostly it is just bloat, AI slop, and monthly subscription shakedowns being added to software today.