←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 4 comments | 16 Sep 25 11:22 UTC | HN request time: 0.786s | source
Show context
paulirish ◴[16 Sep 25 14:54 UTC] No.45263141[source]
This vulnerability was reported to NPM in 2016: https://blog.npmjs.org/post/141702881055/package-install-scr... https://www.kb.cert.org/vuls/id/319816 but the NPM response was WAI.
replies(3): >>45263800 #>>45264329 #>>45274286 #
1. debazel ◴[16 Sep 25 16:21 UTC] No.45264329[source]
Even if we didn't have post install scripts wouldn't the malware just run as soon as you imported the module into your code during the build process, server startup, testing, etc?

I can't think of an instance where I ran npm install and didn't run some process shortly after that imported the packages.

replies(1): >>45264717 #
2. theodorejb ◴[16 Sep 25 16:50 UTC] No.45264717[source]
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
replies(2): >>45269205 #>>45269782 #
3. brw ◴[16 Sep 25 22:41 UTC] No.45269205[source]
I wonder why npm doesn't block pre/postinstall scripts by default, which pnpm and Bun (and I imagine others) already do.

EDIT: oh I scrolled down a bit further and see you said the exact same thing in a top-level comment hahah, my bad

4. mdavidn ◴[16 Sep 25 23:46 UTC] No.45269782[source]
Malicious client-side code can still perform any user action, exfiltrate user data via cross-domain requests, and probe the user's local network.