(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0.23s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

1. nerdponx ◴[17 Sep 25 14:56 UTC] No.45276620[source]▶

>>45260741 (OP) #

What's stopping supply chain attacks like this from happening in other languages like Python, or even in source repos via compromised forge accounts like Github? Artifact/commit signing is optional, so while 2FA fortunately is becoming mandatory, if the maintainer never used signing then this could happen to PyPI just as well as NPM, no? Or is NPM uniquely vulnerable for some reason?

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised