←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 0.638s | source
Show context
g42gregory ◴[16 Sep 25 17:55 UTC] No.45265531[source]
Are Python packaging systems like pip exposed to the same risks?

Is anybody looking at this?

replies(3): >>45265655 #>>45265941 #>>45268254 #
1. nromiun ◴[16 Sep 25 18:26 UTC] No.45265941[source]
Not to the same extent as NPM. Because Python has a good standard library and library authors are not deathly afraid of code duplication like JS devs, for example micro libraries like left-pad, is-even etc.
replies(2): >>45267004 #>>45271113 #
2. AnotherGoodName ◴[16 Sep 25 19:44 UTC] No.45267004[source]
Also there’s more of a habit to release to the pre release channel for some time first.

I honestly think a forced time spent in pre release (with some emergency break glass where community leaders manually review critical hotfixes) could mitigate 99% of the issues here. Linux packages have been around for ever and have fewer incidents mainly because of the long dev->release channel cooking time.

replies(1): >>45267478 #
3. g42gregory ◴[16 Sep 25 20:24 UTC] No.45267478[source]
Forced time in pre-release sounds like a really good idea.

Can somebody drive this up the chain to people who administer npm?

4. Klonoar ◴[17 Sep 25 02:59 UTC] No.45271113[source]
The weird dig at JS as a community is wholly unnecessary. Python as an ecosystem is just as vulnerable to this crap - and they’ve had their own issues with it.

You can reference that and leave the color commentary at the door.

replies(1): >>45271321 #
5. nromiun ◴[17 Sep 25 03:31 UTC] No.45271321[source]
Unnecessary? Maybe if more people had commented on JS devs tendency to include every 3 line micro packages in existence we would not be in this situation.

Every ecosystem has this problem but NPM is the undisputed leader if you count all attacks.