←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 4 comments | 16 Sep 25 11:22 UTC | HN request time: 0.61s | source
1. hacker_homie ◴[16 Sep 25 23:23 UTC] No.45269580[source]
I’m not sure language package mangers were a good idea at all. Dependencies were supposed to be painful. If the language needed some functionality built in it was supposed to go into the standard library, I understand that for JS this isn’t feasible.
replies(3): >>45269627 #>>45269671 #>>45273684 #
2. chromanoid ◴[16 Sep 25 23:27 UTC] No.45269627[source]
Nah, package managers are always the "civilization" moments of programming.
3. 63 ◴[16 Sep 25 23:31 UTC] No.45269671[source]
There was a very similar discussion on lobsters the other day. You might be interested in reading it.

In general, I agree with the idea that writing everything yourself results in a higher quantity of low quality software with security issues and bugs, as well as a waste of developers' time. That said, clearly supply chain attacks are a very real threat that needs to be addressed. I just don't think eliminating package managers is a good solution.

https://lobste.rs/s/zvdtdn

4. Sankozi ◴[17 Sep 25 09:35 UTC] No.45273684[source]
It is not package managers. It is due to the poor NPM ecosystem: lots of crappy packages (like left-pad), auto updates, lots of dependencies, post install scripts, insecure language.

These security problems happen much less often in other ecosystems. There is nothing even remotely as bad as NPM.