←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 10 comments | 16 Sep 25 11:22 UTC | HN request time: 1.179s | source | bottom
1. paulirish ◴[16 Sep 25 14:54 UTC] No.45263141[source]
This vulnerability was reported to NPM in 2016: https://blog.npmjs.org/post/141702881055/package-install-scr... https://www.kb.cert.org/vuls/id/319816 but the NPM response was WAI.
replies(3): >>45263800 #>>45264329 #>>45274286 #
2. rectang ◴[16 Sep 25 15:43 UTC] No.45263800[source]
Acronym expansion for those-not-in-the-know (such as me before a web search): WAI might mean "working as intented", or possibly "why?"
replies(1): >>45266628 #
3. debazel ◴[16 Sep 25 16:21 UTC] No.45264329[source]
Even if we didn't have post install scripts wouldn't the malware just run as soon as you imported the module into your code during the build process, server startup, testing, etc?

I can't think of an instance where I ran npm install and didn't run some process shortly after that imported the packages.

replies(1): >>45264717 #
4. theodorejb ◴[16 Sep 25 16:50 UTC] No.45264717[source]
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
replies(2): >>45269205 #>>45269782 #
5. 201984 ◴[16 Sep 25 19:17 UTC] No.45266628[source]
Thank you. It's frustrating when people uncommon acronyms without explaining them.
replies(1): >>45267301 #
6. maxverse ◴[16 Sep 25 20:07 UTC] No.45267301{3}[source]
AI is helpful for this, but I also built https://www.hackterms.com eight years ago for this exact reason.
replies(1): >>45273575 #
7. brw ◴[16 Sep 25 22:41 UTC] No.45269205{3}[source]
I wonder why npm doesn't block pre/postinstall scripts by default, which pnpm and Bun (and I imagine others) already do.

EDIT: oh I scrolled down a bit further and see you said the exact same thing in a top-level comment hahah, my bad

8. mdavidn ◴[16 Sep 25 23:46 UTC] No.45269782{3}[source]
Malicious client-side code can still perform any user action, exfiltrate user data via cross-domain requests, and probe the user's local network.
9. Vinnl ◴[17 Sep 25 09:19 UTC] No.45273575{4}[source]
And of course good old Urban Dictionary: https://www.urbandictionary.com/define.php?term=WAI
10. amai ◴[17 Sep 25 11:09 UTC] No.45274286[source]
NPM belongs to Microsoft. What do you expect?