(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.223s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

codemonkey-zeta ◴[16 Sep 25 11:56 UTC] No.45261026[source]▶

>>45260741 (OP) #

I'm coming to the unfortunate realizattion that supply chain attacks like this are simply baked into the modern JavaScript ecosystem. Vendoring can mitigate your immediate exposure, but does not solve this problem.

These attacks may just be the final push I needed to take server rendering (without js) more seriously. The HTMX folks convinced me that I can get REALLY far without any JavaScript, and my apps will probably be faster and less janky anyway.

replies(18): >>45261086 #>>45261121 #>>45261140 #>>45261165 #>>45261220 #>>45261265 #>>45261285 #>>45261457 #>>45261571 #>>45261702 #>>45261970 #>>45262601 #>>45262619 #>>45262851 #>>45267210 #>>45268405 #>>45269073 #>>45273081 #

tarruda ◴[16 Sep 25 12:11 UTC] No.45261165[source]▶

>>45261026 #

AFAICT, the only thing this attack relies on, is the lack of scrutiny by developers when adding new dependencies.

Unless this lack of scrutiny is exclusive to JavaScript ecosystem, then this attack could just as well have happened in Rust or Golang.

replies(6): >>45261185 #>>45261224 #>>45261255 #>>45262968 #>>45267488 #>>45274187 #

hsbauauvhabzb ◴[16 Sep 25 12:13 UTC] No.45261185[source]▶

>>45261165 #

JavaScript does have some pretty insane dependency trees. Most other languages don’t have anywhere near that level of nestedness.

replies(4): >>45261308 #>>45261471 #>>45261685 #>>45261896 #

cxr ◴[16 Sep 25 12:45 UTC] No.45261471[source]▶

>>45261185 #

It's not possible for a language to have an insane dependency tree. That's an attribute of a codebase.

replies(2): >>45262259 #>>45262954 #

orbital-decay ◴[16 Sep 25 14:42 UTC] No.45262954[source]▶

>>45261471 #

Modern programming languages don't exist in a vacuum, they are tied to the existing codebase and libraries.

replies(2): >>45264151 #>>45267432 #

1. cxr ◴[16 Sep 25 16:08 UTC] No.45264151[source]▶

>>45262954 #

Whatever you're trying to say, you aren't.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised