(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.404s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

kace91 ◴[16 Sep 25 12:47 UTC] No.45261497[source]▶

>>45260741 (OP) #

I think these kinds of attack would be strongly reduced if js had a strong standard library.

If it was provided, it would significantly trim dependency trees of all the small utility libraries.

Perhaps we need a common community effort to create a “distro” of curated and safe dependencies one can install safely, by analyzing the most popular packages and checking what’s common and small enough to be worth being included/forked.

replies(4): >>45267948 #>>45269564 #>>45270100 #>>45272304 #

1. silverwind ◴[17 Sep 25 06:05 UTC] No.45272304[source]▶

>>45261497 #

Node.js has been adding APIs that make it feasible to write stuff without dependencies, it's slowly getting there.

replies(1): >>45275980 #

2. pier25 ◴[17 Sep 25 14:03 UTC] No.45275980[source]▶

>>45272304 (TP) #

What stuff?

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised