(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 1.117s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

1. indigodaddy ◴[16 Sep 25 19:13 UTC] No.45266581[source]▶

>>45260741 (OP) #

Ironically I started seeing a message in GitHub saying 2fa will be auto-enforced shortly. Wonder if that is a sign of similar for npm packaging?

Or wonder if GitHub is enforcing 2fa soon because of the NPM CVEs potential to harvest GitHub creds?

replies(1): >>45269623 #

2. keyle ◴[16 Sep 25 23:27 UTC] No.45269623[source]▶

>>45266581 (TP) #

2FA is the first steps is stopping the onslaught.

But it still doesn't stop infected developer machines to silently update code and wait for the next release patiently.

It would require the diligence of those developers to check every line of code that goes out with a release... which is a lot to ask for someone who fell for a fishing email.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised