←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 8 comments | 16 Sep 25 11:22 UTC | HN request time: 0.548s | source | bottom
1. g42gregory ◴[16 Sep 25 17:55 UTC] No.45265531[source]
Are Python packaging systems like pip exposed to the same risks?

Is anybody looking at this?

replies(3): >>45265655 #>>45265941 #>>45268254 #
2. LPisGood ◴[16 Sep 25 18:05 UTC] No.45265655[source]
Software supply chain attacks are well known and they are a massive hole in the entirety of software infrastructure. As usual with security, no one really cares that much.
3. nromiun ◴[16 Sep 25 18:26 UTC] No.45265941[source]
Not to the same extent as NPM. Because Python has a good standard library and library authors are not deathly afraid of code duplication like JS devs, for example micro libraries like left-pad, is-even etc.
replies(2): >>45267004 #>>45271113 #
4. AnotherGoodName ◴[16 Sep 25 19:44 UTC] No.45267004[source]
Also there’s more of a habit to release to the pre release channel for some time first.

I honestly think a forced time spent in pre release (with some emergency break glass where community leaders manually review critical hotfixes) could mitigate 99% of the issues here. Linux packages have been around for ever and have fewer incidents mainly because of the long dev->release channel cooking time.

replies(1): >>45267478 #
5. g42gregory ◴[16 Sep 25 20:24 UTC] No.45267478{3}[source]
Forced time in pre-release sounds like a really good idea.

Can somebody drive this up the chain to people who administer npm?

6. cpburns2009 ◴[16 Sep 25 21:23 UTC] No.45268254[source]
As much as I prefer Python over JavaScript, Python is vulnerable to this sort of attack. All it would take is a compromised update publishing only a source package, and hooking into any of setuptools's build or install steps. Pip's build isolation is only intended for reproducible builds. It's not intended to protect against malicious code.

PyPI's attestations do nothing to prevent this either. A package built from a compromised repository will be happily attested with malicious code. To my knowledge wheels are not required.

7. Klonoar ◴[17 Sep 25 02:59 UTC] No.45271113[source]
The weird dig at JS as a community is wholly unnecessary. Python as an ecosystem is just as vulnerable to this crap - and they’ve had their own issues with it.

You can reference that and leave the color commentary at the door.

replies(1): >>45271321 #
8. nromiun ◴[17 Sep 25 03:31 UTC] No.45271321{3}[source]
Unnecessary? Maybe if more people had commented on JS devs tendency to include every 3 line micro packages in existence we would not be in this situation.

Every ecosystem has this problem but NPM is the undisputed leader if you count all attacks.