Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

Liskni_si ◴[16 Sep 25 16:36 UTC] No.45264540[source]▶

>>45260741 (OP) #

Is there any way to install CLI tools from npmjs without being affected by a recent compromise?

Rust has `cargo install --locked`, which will use the pinned versions of dependencies from the lockfile, and these lockfiles are published for bin packages to crates.io.

But it seems npmjs doesn't allow publishing lockfiles, neither for libraries nor for CLI tools, so if you try to install let's say @google/gemini-cli, it will just pull the latest dependencies that fit the constraints in package.json. Is that true? Is it really this bad? If you try to install a CLI tool on a bad day when half of npmjs is compromised, you're out of luck?

How is that acceptable at all?

replies(2): >>45264657 #>>45264725 #

junon ◴[16 Sep 25 16:45 UTC] No.45264657[source]▶

>>45264540 #

Lock files wouldn't work if they were locking transitive dependencies; otherwise the version solver would not have any work to actually do and you'd have many, many versions of the same package rather than a few versions that satisfy all of the version range constraints.

Lots of good ideas since last week, the one I like most being that published packages, especially those that are high in download count, don't actually go publish for a while until after publishing, allowing security scanners to do their thing.

replies(1): >>45264714 #

Liskni_si ◴[16 Sep 25 16:50 UTC] No.45264714[source]▶

>>45264657 #

In the Rust ecosystem, you only publish lock files for binary crates. So yeah then you get churn like https://github.com/cargo-bins/cargo-binstall/releases/tag/v1... bumping transitive deps, but this churn/noise doesn't exist for library crates - because the lock file isn't published for them.

replies(1): >>45267375 #

the8472 ◴[16 Sep 25 20:14 UTC] No.45267375{3}[source]▶

>>45264714 #

lib crates have been checking in their Cargo.lock for a while now.

https://github.com/rust-lang/cargo/pull/12382

replies(1): >>45269912 #

1. Liskni_si ◴[17 Sep 25 00:02 UTC] No.45269912{4}[source]▶

>>45267375 #

That Cargo.lock will only be used for the library's own CI though (and also for development if you git clone it). It will not be used by downstream dependencies at all.

↑