←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
l___l ◴[16 Sep 25 11:48 UTC] No.45260940[source]
Is there a theoretical framework that can prevent this from happening? Proof-carrying code?
replies(8): >>45260951 #>>45260961 #>>45260981 #>>45260989 #>>45261022 #>>45261060 #>>45270399 #>>45274246 #
jcgl ◴[17 Sep 25 11:04 UTC] No.45274246[source]
I think I’m gonna start wrapping most of my build commands (which are inside a makefile) with bwrap. Allow network access only for fetching dependencies. Limit disk access (especially rw access) throughout. Etc.
replies(1): >>45276629 #
1. jcgl ◴[17 Sep 25 14:57 UTC] No.45276629[source]
If anyone is interested, I've added this BWRAP_BUILD variable to a makefile in my project that builds a Go and SvelteKit project. I then preface individual commands that I want sandboxed within a make target (e.g. mybin below).

  PATH_ELEMENTS := $(subst :, ,$(PATH))
  BIND_COMMANDS := $(foreach element, $(PATH_ELEMENTS), --ro-bind-try $(element) $(element))
  
  define BWRAP_BUILD
  bwrap \
  --unshare-all \
  --unshare-user \
  --die-with-parent \
  --disable-userns \
  --ro-bind /usr/ /usr \
  --ro-bind /lib64 /lib64/ \
  --ro-bind /lib /lib \
  --ro-bind /etc/alternatives/ /etc/alternatives/ \
  --ro-bind $(CURDIR) $(CURDIR) \
  --proc /proc \
  --clearenv \
  --setenv PATH $(PATH) \
  $(BIND_COMMANDS) \
  --setenv GOPATH $(GOPATH) \
  --ro-bind $(GOPATH) $(GOPATH)  \
  --setenv TMPDIR $(XDG_CACHE_HOME)/go-build  \
  --bind $(XDG_CACHE_HOME)/go-build $(XDG_CACHE_HOME)/go-build  \
  --setenv XDG_CACHE_HOME $(XDG_CACHE_HOME)  \
  --dev-bind /dev/null /dev/null  \
  --setenv PNPM_HOME $(PNPM_HOME) \
  --bind-try $(PNPM_HOME) $(PNPM_HOME) \
  --setenv HOME $(HOME) \
  --bind-try $(CURDIR)/ui/.svelte-kit $(CURDIR)/ui/.svelte-kit \
  --bind-try $(CURDIR)/ui/build $(CURDIR)/ui/build \
  
  endef
  
  mybin: $(deps)
    $(BWRAP_BUILD) go build -trimpath -ldflags $(ldflags) ./cmd/mybin/
Notes: most of the lines after --setenv GOPATH... are specific to my project and tooling. Some of the lines prior are specifically to accommodate my tooling, but I think that stuff should be reasonably general. Lmk if anyone has any suggestions.