(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 2s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

cyrnel ◴[17 Sep 25 02:10 UTC] No.45270758[source]▶

>>45260741 (OP) #

Code signing, 2FA, and reducing dependencies are all incomplete solutions. What we need is fine-grained sandboxing, down to the function and type level. You will always be vulnerable as long as you're relying on fallible humans (even yourself) to catch or prevent vulnerabilities.

Apparently they've tried to implement this in JavaScript but the language is generally too flexible to resist a malicious package running in the same process.

We need to be using different languages with runtimes that don't allow privileged operations by default.

replies(1): >>45271309 #

1. 9dev ◴[17 Sep 25 03:30 UTC] No.45271309[source]▶

>>45270758 #

That doesn’t solve it either. If you need to grant hundreds of permissions, people will just hand-wave them all—remember the UAC debacle in Windows Vista? I like Denos approach way better; and you could also ask why any application can just read files in your home folder, or make network requests to external hosts. OSes really are part of the equation here.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised