(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]▶

>>45260741 (OP) #

I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.

replies(3): >>45260975 #>>45261085 #>>45261124 #

oVerde ◴[16 Sep 25 11:51 UTC] No.45260975[source]▶

>>45260954 #

So basically you live JavaScript free?

replies(4): >>45260998 #>>45261034 #>>45261487 #>>45261734 #

Xelbair ◴[16 Sep 25 11:57 UTC] No.45261034[source]▶

>>45260975 #

as much as i can yes.

I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself.

replies(3): >>45261071 #>>45261213 #>>45261604 #

hoppp ◴[16 Sep 25 12:57 UTC] No.45261604[source]▶

>>45261034 #

Lucky you. I keep coming back to it because jobs and even for desktop apps a native webview beats everything else.

We fcked up with js, big time and its with us forever now

replies(3): >>45261698 #>>45261995 #>>45281955 #

sfn42 ◴[16 Sep 25 13:29 UTC] No.45261995{3}[source]▶

>>45261604 #

I was hyped for wasm because i thought it was supposed to solve this problem, allowing any programming language to be compiled to run in browsers.

But apparently they only made it do like 95% of what JS does so you can't actually replace js with it. To me it seems like a huge blunder. I don't give a crap about making niche applications a bit faster, but freeing the web from the curse of JS would be absolutely huge. And they basically did it except not quite. It's so strange to me, why not just go the extra 5%?

replies(3): >>45262081 #>>45265200 #>>45272185 #

1. joquarky ◴[17 Sep 25 05:44 UTC] No.45272185{4}[source]▶

>>45261995 #

The DOM is fundamentally dependent upon JS shaped data structures and garbage collection. They are BFFs.

Any attempt to bypass this will be perilous.

replies(1): >>45272397 #

2. sfn42 ◴[17 Sep 25 06:20 UTC] No.45272397[source]▶

>>45272185 (TP) #

So we'd need a new DOM, seems feasible

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised