(socket.dev)

1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0.001s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

Meneth ◴[16 Sep 25 12:25 UTC] No.45261303[source]▶

>>45260741 (OP) #

This happens because there's no auditing of new packages or versions. The distro's maintainer and the developer is the same person.

The general solution is to do what Debian does.

Keep a stable distro where new packages aren't added and versions change rarely (security updates and bugfixes only, no new functionality). This is what most people use.

Keep a testing/unstable distro where new packages and new versions can be added, but even then added only by the distro maintainer, NOT by the package developers. This is where the audits happen.

NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

replies(25): >>45261528 #>>45261617 #>>45261792 #>>45262591 #>>45262655 #>>45262978 #>>45263089 #>>45263137 #>>45263570 #>>45263728 #>>45264113 #>>45264189 #>>45265297 #>>45266032 #>>45266873 #>>45267343 #>>45268626 #>>45268669 #>>45269007 #>>45269777 #>>45270131 #>>45270753 #>>45272097 #>>45273282 #>>45273471 #

weinzierl ◴[16 Sep 25 12:59 UTC] No.45261617[source]▶

>>45261303 #

In Rust we have cargo vet, where we share these audits and use them in an automated fashion. Companies like Google and Mozilla contribute their audits.

replies(4): >>45261917 #>>45265570 #>>45270798 #>>45272382 #

1. gedy ◴[16 Sep 25 17:58 UTC] No.45265570[source]▶

>>45261617 #

It's too bad MS doesn't own npm, and/or GitHub repositories. Wait

replies(1): >>45267047 #

2. LikesPwsh ◴[16 Sep 25 19:47 UTC] No.45267047[source]▶

>>45265570 (TP) #

Nuget, Powershell gallery, the marketplaces for VSCode/VS/AZDo and the Microsoft Store too. Probably another twenty.

They collect package managers like funko pops.

I'm not quite sure about the goal. Maybe some more C# dev kit style rug-pulls where the ecosystem is nominally open-source but MS own the development and distribution so nobody would bother to compete.

replies(1): >>45267955 #

3. lovich ◴[16 Sep 25 20:57 UTC] No.45267955[source]▶

>>45267047 #

I took those acquisitions and a few others like LinkedIn and all the visual studio versions as a sign that Microsoft is trying to own the software engineer career as a domain.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised