Most active commenters
  • theodorejb(3)

←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 13 comments | 16 Sep 25 11:22 UTC | HN request time: 1.269s | source | bottom
1. theodorejb ◴[16 Sep 25 15:07 UTC] No.45263347[source]
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.

replies(3): >>45263672 #>>45269128 #>>45273686 #
2. notatallshaw ◴[16 Sep 25 15:34 UTC] No.45263672[source]
Seems like this is a fairly recent change, for Pnpm at least, https://socket.dev/blog/pnpm-10-0-0-blocks-lifecycle-scripts...

What has been the community reaction? Has allowing scripts been scalable for users? Or could it be described as people blindly copying and pasting allow commands?

I am involved in Python packaging discussions and there is a pre-proposal (not at PEP stage yet) at the moment for "wheel variants" that involves a plugin architecture, a contentious point is whether to download and run the plugins by default. I'd like to find parallels in other language communities to learn from.

replies(1): >>45263931 #
3. theodorejb ◴[16 Sep 25 15:53 UTC] No.45263931[source]
In my experience, packages which legitimately require a postinstall script to work correctly are very rare. For the apps I maintain, esbuild is the only dependency which benefits from a postinstall script to slightly improve performance (though it still works without the script). So there's no scaling issue adding one or two packages to a whitelist if desired.
4. LelouBil ◴[16 Sep 25 22:33 UTC] No.45269128[source]
I'm also wondering why huge scale attacks like this don't happen for other package managers.

Like, for rust, you can have a build.rs file that gets executed when your crate is compiled, I don't think it's sandboxed.

Or also on other languages that will get run on development machines, like python packages (which can trigger code only on import), java libraries, etc...

Like, there is the post install script issue or course, but I feel like these attacks could have been just as (or almost as) effective in other programming languages, but I feel like we always only hear about npm packages.

replies(4): >>45269807 #>>45270907 #>>45272288 #>>45273709 #
5. Onavo ◴[16 Sep 25 23:49 UTC] No.45269807[source]
It's a lot harder to do useful things with backend languages. JavaScript is more profitable as you can do the crypto wallet attacks without having to exploit kernel zero days.
replies(1): >>45273223 #
6. voxelghost ◴[17 Sep 25 02:30 UTC] No.45270907[source]
Its only JS devs that constantly rebuild their system with full dependcy update, so they are the most attractive target.
7. silverwind ◴[17 Sep 25 06:02 UTC] No.45272288[source]
All package managers are vulnerable to this type of attack, it just happens that npm is like 10+ times more popular than the others, so it gets targeted often.
8. 0x000xca0xfe ◴[17 Sep 25 08:17 UTC] No.45273223{3}[source]
It's trivial to run an exploit shell from almost any language when you have non-sandboxed code running on the target machine.
replies(1): >>45279069 #
9. VPenkov ◴[17 Sep 25 09:36 UTC] No.45273686[source]
It does not, since version 11:

https://docs.npmjs.com/cli/v11/using-npm/changelog#1100-pre0...

replies(1): >>45274759 #
10. arccy ◴[17 Sep 25 09:40 UTC] No.45273709[source]
for the same reason that scams are kind of obvious if you care to look: use of js / npm is an automatic filter for a more clueless target.
11. theodorejb ◴[17 Sep 25 12:00 UTC] No.45274759[source]
Yes it does, since the ignore-scripts option is not enabled by default.
replies(1): >>45276822 #
12. VPenkov ◴[17 Sep 25 15:11 UTC] No.45276822{3}[source]
Yes it does, you're correct and I have misread. I can't edit, delete, or flag my initial reply unfortunately.
13. Onavo ◴[17 Sep 25 17:51 UTC] No.45279069{4}[source]
Yes but outside of dumping user data, there's not much else you can do. Crypto mining will get caught rather quickly (most big clouds ban mining). User data is useful for the type of attacker that's willing to go through the whole blackmarketing selling process. For script kiddies, if you think about it, the easiest pay-off for a social engineering/phishing is a frontend wallet crypto theft.