Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

I think I’m gonna start wrapping most of my build commands (which are inside a makefile) with bwrap. Allow network access only for fetching dependencies. Limit disk access (especially rw access) throughout. Etc.

If anyone is interested, I've added this BWRAP_BUILD variable to a makefile in my project that builds a Go and SvelteKit project. I then preface individual commands that I want sandboxed within a make target (e.g. mybin below).

  PATH_ELEMENTS := $(subst :, ,$(PATH))
  BIND_COMMANDS := $(foreach element, $(PATH_ELEMENTS), --ro-bind-try $(element) $(element))
  
  define BWRAP_BUILD
  bwrap \
  --unshare-all \
  --unshare-user \
  --die-with-parent \
  --disable-userns \
  --ro-bind /usr/ /usr \
  --ro-bind /lib64 /lib64/ \
  --ro-bind /lib /lib \
  --ro-bind /etc/alternatives/ /etc/alternatives/ \
  --ro-bind $(CURDIR) $(CURDIR) \
  --proc /proc \
  --clearenv \
  --setenv PATH $(PATH) \
  $(BIND_COMMANDS) \
  --setenv GOPATH $(GOPATH) \
  --ro-bind $(GOPATH) $(GOPATH)  \
  --setenv TMPDIR $(XDG_CACHE_HOME)/go-build  \
  --bind $(XDG_CACHE_HOME)/go-build $(XDG_CACHE_HOME)/go-build  \
  --setenv XDG_CACHE_HOME $(XDG_CACHE_HOME)  \
  --dev-bind /dev/null /dev/null  \
  --setenv PNPM_HOME $(PNPM_HOME) \
  --bind-try $(PNPM_HOME) $(PNPM_HOME) \
  --setenv HOME $(HOME) \
  --bind-try $(CURDIR)/ui/.svelte-kit $(CURDIR)/ui/.svelte-kit \
  --bind-try $(CURDIR)/ui/build $(CURDIR)/ui/build \
  
  endef
  
  mybin: $(deps)
    $(BWRAP_BUILD) go build -trimpath -ldflags $(ldflags) ./cmd/mybin/

Notes: most of the lines after --setenv GOPATH... are specific to my project and tooling. Some of the lines prior are specifically to accommodate my tooling, but I think that stuff should be reasonably general. Lmk if anyone has any suggestions.