Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

This happens because there's no auditing of new packages or versions. The distro's maintainer and the developer is the same person.

The general solution is to do what Debian does.

Keep a stable distro where new packages aren't added and versions change rarely (security updates and bugfixes only, no new functionality). This is what most people use.

Keep a testing/unstable distro where new packages and new versions can be added, but even then added only by the distro maintainer, NOT by the package developers. This is where the audits happen.

NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

> NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories

Can you point me to Go's centralized package repository?

git isn't centralized nor a package repository

For what it's worth, our code is on GitLab

Github is a centralized repository where the overwhelming majority of Go libraries are hosted.

So GitHub is every single programming language's centralized package repository?

Then what's the difference between git and npm, cargo, pypi, mvn et al?

Git != Github.

In practice, little difference between Go's use of Github and Python's use of PyPI. Someone at Microsoft with root access could compromise everyone.

> Git != Github

That's why I'm putting emphasis on it, because to Go it is.

And to languages that actually have centralized package repositories it isn't. There is a difference between code and packages and Go simply does not have the latter (in the traditional sense - what Go calls a package is a collection of source files in the same directory that are compiled together within a module (a module is a collection of packages (again, code) that are released, versioned, and distributed together. Modules may be downloaded directly from version control repositories or via proxy servers)).

To the other languages mentioned above, packages may have binaries, metadata and special script hooks. There is a package manager like pip , cargo or npm and if you want to install one, you won't have to specify a URL because there is a canonical domain to go to.

Go just knows code and it'll use git, hg or even svn. And if you want to claim that lots of open-source code being on GitHub makes it special, then

> GitHub is every single programming language's centralized package repository

and

> Someone at Microsoft with root access could compromise every user of every single programming language

I think you're being silly to be so insistent about this. 95% of Go packages are hosted on Github, a centralized hosting platform. The fact that they install via the git protocol (or do they? do they just use https to check out?) is immaterial.

95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

> what Go calls a package is a collection of source files in the same directory

What is it that you imagine Python or NPM packages consist of? Hint: A Python .whl file is just a folder in a zip archive (Python also supports source distributions directly analogous to Go)

[0] https://docs.astral.sh/uv/concepts/indexes/

[1] https://thelinuxcode.com/install-git-repository-branch-using...

> 95% of Go packages[=code, the author] are hosted on Github

So "GitHub is every single programming language's centralized package repository, because lots of code is hosted there" ?

> Python supports installing from other non PyPI indexes > 95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

And yet there is a clear difference between source distributions and pip/npm/rubygem/cargo packages - and between tooling/ecosystems that ONLY support the former and those that MAY use either and unfortunately mostly use the latter.

> What is it that you imagine Python or NPM packages consist of?

Something like a script that runs as part of the package that downloads a tarball, modifies package.json, injects a local bundle.js and runs npm publish (see this post). Usually also hosted at the default, centralized, authoritative source run by the maintainers of the package management tool.

But I'm repeating myself.

> (or do they? do they just use https to check out?)

Maybe try it out or read the docs first.

I'm closing with this:

> NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

is either wrong or disingenuously misleading, requiring nothing to apply to every single thing, depending on how you slice your definitions. It does not hold any water, that is my entire argument.