←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.002s | source
Show context
g42gregory ◴[16 Sep 25 17:55 UTC] No.45265531[source]
Are Python packaging systems like pip exposed to the same risks?

Is anybody looking at this?

replies(3): >>45265655 #>>45265941 #>>45268254 #
nromiun ◴[16 Sep 25 18:26 UTC] No.45265941[source]
Not to the same extent as NPM. Because Python has a good standard library and library authors are not deathly afraid of code duplication like JS devs, for example micro libraries like left-pad, is-even etc.
replies(2): >>45267004 #>>45271113 #
1. AnotherGoodName ◴[16 Sep 25 19:44 UTC] No.45267004[source]
Also there’s more of a habit to release to the pre release channel for some time first.

I honestly think a forced time spent in pre release (with some emergency break glass where community leaders manually review critical hotfixes) could mitigate 99% of the issues here. Linux packages have been around for ever and have fewer incidents mainly because of the long dev->release channel cooking time.

replies(1): >>45267478 #
2. g42gregory ◴[16 Sep 25 20:24 UTC] No.45267478[source]
Forced time in pre-release sounds like a really good idea.

Can somebody drive this up the chain to people who administer npm?