←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0.013s | source
Show context
codemonkey-zeta ◴[16 Sep 25 11:56 UTC] No.45261026[source]
I'm coming to the unfortunate realizattion that supply chain attacks like this are simply baked into the modern JavaScript ecosystem. Vendoring can mitigate your immediate exposure, but does not solve this problem.

These attacks may just be the final push I needed to take server rendering (without js) more seriously. The HTMX folks convinced me that I can get REALLY far without any JavaScript, and my apps will probably be faster and less janky anyway.

replies(18): >>45261086 #>>45261121 #>>45261140 #>>45261165 #>>45261220 #>>45261265 #>>45261285 #>>45261457 #>>45261571 #>>45261702 #>>45261970 #>>45262601 #>>45262619 #>>45262851 #>>45267210 #>>45268405 #>>45269073 #>>45273081 #
tarruda ◴[16 Sep 25 12:11 UTC] No.45261165[source]
AFAICT, the only thing this attack relies on, is the lack of scrutiny by developers when adding new dependencies.

Unless this lack of scrutiny is exclusive to JavaScript ecosystem, then this attack could just as well have happened in Rust or Golang.

replies(6): >>45261185 #>>45261224 #>>45261255 #>>45262968 #>>45267488 #>>45274187 #
hsbauauvhabzb ◴[16 Sep 25 12:13 UTC] No.45261185[source]
JavaScript does have some pretty insane dependency trees. Most other languages don’t have anywhere near that level of nestedness.
replies(4): >>45261308 #>>45261471 #>>45261685 #>>45261896 #
staminade ◴[16 Sep 25 12:25 UTC] No.45261308{3}[source]
Don't they?

I just went to crates.io and picked a random newly updated crate, which happened to be pixelfix, which fixes transparent pixels in pngs.

It has six dependencies and hundreds of transient dependencies, may of which appear to be small and highly specific a la left-pad.

https://crates.io/crates/pixelfix/0.1.1/dependencies

Maybe this package isn't representative, but it feels pretty identical to the JS ecosystem.

replies(1): >>45261384 #
koakuma-chan ◴[16 Sep 25 12:34 UTC] No.45261384{4}[source]
It depends on `image` which in turn depends on a number of crates to handle different file types. If you disable all `image` features, it only has like 5 dependencies left.
replies(1): >>45261462 #
staminade ◴[16 Sep 25 12:44 UTC] No.45261462{5}[source]
And all those 5 remaining dependencies have lots of dependencies of their own. What's your point?
replies(1): >>45261588 #
koakuma-chan ◴[16 Sep 25 12:55 UTC] No.45261588{6}[source]
> What's your point?

Just defending Rust.

> 5 remaining dependencies have lots of dependencies of their own.

Mostly well-known crates like rayon, crossbeam, tracing, etc.

replies(1): >>45262478 #
johnisgood ◴[16 Sep 25 14:09 UTC] No.45262478{7}[source]
You cannot defend Rust if this is reality.

Any Rust project I have ever compiled pulled in over 1000 dependencies. Recently it was Zed with its >2000 dependencies.

replies(1): >>45262797 #
koakuma-chan ◴[16 Sep 25 14:33 UTC] No.45262797{8}[source]
I think it's justified for Zed. It does a lot of things.
replies(1): >>45264272 #
rudedogg ◴[16 Sep 25 16:17 UTC] No.45264272{9}[source]
Zed isn’t special, I doubt Sublime Text has thousands of dependencies. It’s a language/culture problem.

Edit: Ghostty is a good counter-example that is open source. https://github.com/ghostty-org/ghostty/tree/main/pkg

replies(1): >>45266706 #
koakuma-chan ◴[16 Sep 25 19:23 UTC] No.45266706{10}[source]
Zed is closer to IntelliJ or VSCode than to Sublime Text.
replies(1): >>45270137 #
1. biggusdickus69 ◴[17 Sep 25 00:38 UTC] No.45270137{11}[source]
In the amount of bloat, yes.
replies(1): >>45277037 #
2. johnisgood ◴[17 Sep 25 15:29 UTC] No.45277037[source]
It is also important to note that this is not specific to Zed. As someone else have mentioned, it is a cultural problem. I picked Zed as an example because that is what I compiled the last time, but it is definitely not limited to Zed. There are many Rust projects that pull in over 1000 dependencies and they do much less than Zed.
replies(1): >>45279323 #
3. koakuma-chan ◴[17 Sep 25 18:12 UTC] No.45279323[source]
Yeah tbh one time I had a Rust job and their back-end had like 700-800 dependencies.