←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0.724s | source
Show context
jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]
I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.
replies(3): >>45260975 #>>45261085 #>>45261124 #
zachrip ◴[16 Sep 25 12:03 UTC] No.45261085[source]
I can tell a lot about a dev by the fact that they single out npm/js for this supply chain issue.
replies(7): >>45261191 #>>45261219 #>>45261232 #>>45261237 #>>45261268 #>>45261512 #>>45263231 #
RUnconcerned ◴[16 Sep 25 12:18 UTC] No.45261237[source]
What other language ecosystems have had this happen systematically? This isn't even the first time this month!
replies(5): >>45262049 #>>45262513 #>>45265664 #>>45267928 #>>45271328 #
1. SkyPuncher ◴[16 Sep 25 20:55 UTC] No.45267928[source]
NPM is the most popular, so it happens the most frequently. All of the other ecosystems are just as susceptible.

Unix had a big scare last year because of XZ Utils.

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

replies(1): >>45273588 #
2. Sankozi ◴[17 Sep 25 09:20 UTC] No.45273588[source]
No they are not as susceptible - auto updating dependencies, post install scripts and culture of thousands of crappy micro packages (like left-pad) is mainly a NPM issue.
replies(1): >>45275554 #
3. zachrip ◴[17 Sep 25 13:23 UTC] No.45275554[source]
Packages are not auto updated if you have a package-lock. Agreed that post-install, left-pad, etc have been overall problematic tho.