←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.2s | source
Show context
freakynit ◴[16 Sep 25 11:38 UTC] No.45260858[source]
New day, new npm malware. Sigh..
replies(3): >>45260898 #>>45260942 #>>45268206 #
motorest ◴[16 Sep 25 11:43 UTC] No.45260898[source]
> New day, new npm malware. Sigh..

This. But the problem seems to go way deeper than npm or whatever package manager is used. I mean, why is anyone consuming a package like colors or tinycolors? Do projects really need to drag in a random dependency to handle these usecases?

replies(2): >>45260930 #>>45261400 #
diggan ◴[16 Sep 25 11:47 UTC] No.45260930[source]
So rather than focusing on how Microsoft/npm et al can prevent similar situations in the future, you chose to think about what relevance/importance each individual package has?

There will always be packages that for some people are "but why?" but for others are "thank god I don't have to deal with that myself". Sure, colors and whatnot are tiny packages we probably could do without, but what are you really suggesting here? Someone sits and reviews every published package and rejects it if the package doesn't fit your ideal?

replies(2): >>45261253 #>>45262805 #
1. motorest ◴[16 Sep 25 14:33 UTC] No.45262805[source]
> So rather than focusing on how Microsoft/npm et al can prevent similar situations in the future, (...)

There's some ignorance in your comment. If you read up on debug & chalk supply chain attack, you'll end up discovering that the attacker gained control of the account through plain old phishing. Through a 2FA reset email, to boot.

What exactly do you expect the likes of Microsoft to do if users hand over their access to third parties? Do you want to fix issues or to pile onto the usual targets?