←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.215s | source
Show context
gchamonlive ◴[16 Sep 25 11:36 UTC] No.45260844[source]
We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?
replies(10): >>45260897 #>>45260900 #>>45260903 #>>45260982 #>>45261023 #>>45261089 #>>45261173 #>>45261189 #>>45261245 #>>45268913 #
0xbadcafebee ◴[16 Sep 25 22:14 UTC] No.45268913[source]
With Javascript, yes, but also with all programming-language package managers and software development culture in general. There's too huge of an attack surface, and virtually no attack mitigation. It's a free for all. These are solvable problems, though. Distros have been doing it the right way for decades, and we could do it even better than that. But being lazy is easier. Until people are forced to improve - or there's some financial incentive - they don't.
replies(1): >>45272816 #
1. hinkley ◴[17 Sep 25 07:17 UTC] No.45272816[source]
This has been brewing for a long time. Maven, CPAN before it.

Maybe some of these systems have better protection from counterfeiting, and probably they all should. But as the number of packages you use goes up, the surface area does too. As a Node developer the… permissiveness of the culture has always concerned me.

The trick with playing with fire is understanding how fire works, respecting it, and keeping the tricks small. The bigger you go, the more the danger.