←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
Meneth ◴[16 Sep 25 12:25 UTC] No.45261303[source]
This happens because there's no auditing of new packages or versions. The distro's maintainer and the developer is the same person.

The general solution is to do what Debian does.

Keep a stable distro where new packages aren't added and versions change rarely (security updates and bugfixes only, no new functionality). This is what most people use.

Keep a testing/unstable distro where new packages and new versions can be added, but even then added only by the distro maintainer, NOT by the package developers. This is where the audits happen.

NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

replies(25): >>45261528 #>>45261617 #>>45261792 #>>45262591 #>>45262655 #>>45262978 #>>45263089 #>>45263137 #>>45263570 #>>45263728 #>>45264113 #>>45264189 #>>45265297 #>>45266032 #>>45266873 #>>45267343 #>>45268626 #>>45268669 #>>45269007 #>>45269777 #>>45270131 #>>45270753 #>>45272097 #>>45273282 #>>45273471 #
ncruces ◴[16 Sep 25 18:32 UTC] No.45266032[source]
This is a culture issue with developers who find it OK to have hundreds of (transitive) dependencies, and then follow processes that, for all intents and purposes, blindly auto update them, thereby giving hundreds of third-parties access to their build (or worse) execution environments.

Adding friction to the sharing of code doesn't absolve developers from their decision to blindly trust a ridiculous amount of third-parties.

replies(7): >>45266877 #>>45266951 #>>45267014 #>>45267066 #>>45267203 #>>45267940 #>>45267944 #
Pet_Ant ◴[16 Sep 25 19:41 UTC] No.45266951[source]
I find that the issue is much more often not updating dependencies often enough with known security holes, than updating too often and getting hit with a supply-chain malware attack.
replies(2): >>45267211 #>>45267342 #
1. dboreham ◴[16 Sep 25 20:11 UTC] No.45267342{3}[source]
Not updating is the other side of the same problem: library owners feel it is ok to make frequent backwards-compatibility breaking changes, often ignoring semver conventions. So consumers of their libraries are left with the choice to pin old insecure versions or spend time rewriting their code (and often transitive dependency code too) to keep up.

This is what happens when nobody pays for anything and nobody feels they have a duty to do good work for free.

replies(1): >>45267611 #
2. banku_brougham ◴[16 Sep 25 20:33 UTC] No.45267611[source]
>This is what happens when nobody pays for anything and nobody feels they have a duty to do good work for free.

Weirdly, some of the worst CVE I can think of were with enterprize software.

replies(1): >>45267964 #
3. zelphirkalt ◴[16 Sep 25 20:58 UTC] No.45267964[source]
That's because there many people don't feel like it is their duty to do good work, even though they are paid ...
replies(1): >>45273322 #
4. jand ◴[17 Sep 25 08:34 UTC] No.45273322{3}[source]
Who do you mean with "many people"? Developers who do not care or middle management that oversold features and overcommitted w.r.t. deadlines? Or both? Someone else?
replies(1): >>45274069 #
5. zelphirkalt ◴[17 Sep 25 10:35 UTC] No.45274069{4}[source]
I was thinking of many developers, but actually middle management should be included.