←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
user3939382 ◴[16 Sep 25 12:34 UTC] No.45261383[source]
My comment yesterday, which received one downvote and which I will repeat if/until they’re gone: HTTP and JS have to go. There are ways to replace them.
replies(2): >>45261488 #>>45268221 #
progx ◴[16 Sep 25 12:46 UTC] No.45261488[source]
One downvote is not enough.
replies(1): >>45262129 #
user3939382 ◴[16 Sep 25 13:40 UTC] No.45262129[source]
One upvote is not enough. We need enough upvotes to fix the problem. You can’t shape a big pile of shit into success. HTTP and JS will never serve as a proper application framework.
replies(4): >>45267426 #>>45268159 #>>45270876 #>>45272045 #
poly2it ◴[17 Sep 25 02:24 UTC] No.45270876[source]
Would you care to elaborate? What solution do you propose, and how would it be implemented? How would removal of JavaScript and HTTP solve the dependency malware issue being discussed?
replies(1): >>45276018 #
1. user3939382 ◴[17 Sep 25 14:07 UTC] No.45276018[source]
JS execution model and semantics naturally lend themselves to these huge dependency trees with easily obfuscated code. There are wider non-language specific strategies to really nail this problem but the language isn’t helping and at the same time is causing 1,000 other problems because it was designed to validate phone numbers in a text input.

I appreciate that HTTP sounds tangential but my point is the whole stack is designed wrong for what it’s doing and we waste all of our time commenting on and fixing the 1,000 manifestations of that rather just fix the architecture. There are political reasons for that I won’t get into.