←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.519s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

g42gregory ◴[16 Sep 25 17:55 UTC] No.45265531[source]▶

>>45260741 (OP) #

Are Python packaging systems like pip exposed to the same risks?

Is anybody looking at this?

replies(3): >>45265655 #>>45265941 #>>45268254 #

nromiun ◴[16 Sep 25 18:26 UTC] No.45265941[source]▶

Not to the same extent as NPM. Because Python has a good standard library and library authors are not deathly afraid of code duplication like JS devs, for example micro libraries like left-pad, is-even etc.

replies(2): >>45267004 #>>45271113 #

1. Klonoar ◴[17 Sep 25 02:59 UTC] No.45271113[source]▶

The weird dig at JS as a community is wholly unnecessary. Python as an ecosystem is just as vulnerable to this crap - and they’ve had their own issues with it.

You can reference that and leave the color commentary at the door.

replies(1): >>45271321 #

2. nromiun ◴[17 Sep 25 03:31 UTC] No.45271321[source]▶

>>45271113 (TP) #

Unnecessary? Maybe if more people had commented on JS devs tendency to include every 3 line micro packages in existence we would not be in this situation.

Every ecosystem has this problem but NPM is the undisputed leader if you count all attacks.