(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.408s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

1. parhamn ◴[16 Sep 25 21:34 UTC] No.45268412[source]▶

>>45260741 (OP) #

For a large subset of packages (like the browser ones), as a layman, it seems feasible to do static analysis for:

1) fetch calls

2) obfuscation (like sketchy lookup tables and hex string construction)

Like for (1) the hostname should be statically resolvable and immutable. So you can list the hostnames it fetches from as well.

Is this feasible or am I underestimating the difficulty? Javascript seems to have no shortage of static analysis tools.

replies(1): >>45268931 #

2. TheDong ◴[16 Sep 25 22:16 UTC] No.45268931[source]▶

>>45268412 (TP) #

There are many ways to "eval" in javascript, and static analysis can only work if that's also statically disallowed.

Unfortunately, eval is still used in a lot of code, so disabling it isn't trivially viable, and with eval present, detecting fetch calls and such statically becomes the halting problem.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised