←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.001s | source
Show context
jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]
I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.
replies(3): >>45260975 #>>45261085 #>>45261124 #
zachrip ◴[16 Sep 25 12:03 UTC] No.45261085[source]
I can tell a lot about a dev by the fact that they single out npm/js for this supply chain issue.
replies(7): >>45261191 #>>45261219 #>>45261232 #>>45261237 #>>45261268 #>>45261512 #>>45263231 #
lithos ◴[16 Sep 25 12:21 UTC] No.45261268[source]
Just more engineering leaning than you. Actual engineers have to analyze their supply chains, and so makes sense they would be baffled by NPM dependency trees that utterly normal projects grow into in the JavaScript ecosystem.
replies(2): >>45261475 #>>45265112 #
1. Lumping6371 ◴[16 Sep 25 17:21 UTC] No.45265112[source]
Good thing that at scale, private package repositories or even in-house development is done. Personally, I would argue that an engineer unable to tell apart perfect from good, isn't a very good engineer in my book, but some engineers are unable to make compromises.