←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.204s | source
Show context
theodorejb ◴[16 Sep 25 15:07 UTC] No.45263347[source]
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.

replies(3): >>45263672 #>>45269128 #>>45273686 #
LelouBil ◴[16 Sep 25 22:33 UTC] No.45269128[source]
I'm also wondering why huge scale attacks like this don't happen for other package managers.

Like, for rust, you can have a build.rs file that gets executed when your crate is compiled, I don't think it's sandboxed.

Or also on other languages that will get run on development machines, like python packages (which can trigger code only on import), java libraries, etc...

Like, there is the post install script issue or course, but I feel like these attacks could have been just as (or almost as) effective in other programming languages, but I feel like we always only hear about npm packages.

replies(4): >>45269807 #>>45270907 #>>45272288 #>>45273709 #
1. arccy ◴[17 Sep 25 09:40 UTC] No.45273709[source]
for the same reason that scams are kind of obvious if you care to look: use of js / npm is an automatic filter for a more clueless target.