We all dodged a bullet

Posted by WhyNotHugo 4 days ago

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

822 points | 483 commentspage 4

superkuh 3 days ago|

Wow! This site uses anubis with the meta-refreshed based challenge that doesn't require javascript. So I can actually read the article in my old browser. It's so rare for anubis deployals to be setup with any configuration beyond the defaults. What a delight.

aloer 3 days ago|

The blog author is also the creator of Anubis

dang 4 days ago||

In case you missed it:

NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657 - Sept 2025 (697 comments, including exemplary comments from the project maintainer)

lxe 3 days ago||

Gmail could have easily placed a red banner like

> "Warning! This is the first time you have received a message from sender support@npmjs.help. Please be careful with links and attachments, and verify the sender's identity before taking any action."

ChuckMcM 4 days ago||

Agree with most that this could have been way way worse. No doubt next time it will be.

I keep expecting some new company to bring out this revolutionary idea of "On prem: your machine, your libraries, your business."

btbuildem 3 days ago||

Sometimes I think I'm a stubborn old curmudgeon for staunchly refusing to use node, npm, and the surrounding ecosystem. Pick and choose specific packages if I really have to.

Then there's days like this.

scotty79 4 days ago||

Is there a tool that you can put between your npm client and npm web servers that serves package versions that are month old and possibly also tracks discovered malware and never serves infected versions?

JackFr 4 days ago||

Artifactory. Nexus. I believe AWS/GCP/Azure have offerings.

No bank, and almost no large corporations go directly to artifact/package repos. They all host them internally.

darthwalsh 2 days ago||

Yes, but the public npmjs repository also blocks our corporate IP addresses, so our CI/CD pipelines can't ruin npm for everybody else.

mikebelanger 3 days ago|||

Artifactory works fairly well. Although admittedly, when a user grabs a new dependency, they're downloading from the npmjs registry like anyone else.

Really, the killer combo would be to have some kind of LLM-based tool that would scan someone's artifactory. Something smart enough to notice that code changed, and there's code for accessing a crypto-wallet, etc. This would be too expensive for npmjs to host for free, but I could see this happen to hosted artifactory dependencies.

lovehashbrowns 4 days ago|||

I'm looking at Verdaccio currently, since Artifactory is expensive and I think the CE version still only supports C++. Does anyone have any experience with Verdaccio?

singulasar 4 days ago|||

the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain

balder1991 4 days ago||

Something like this? https://jfrog.com/artifactory/

duffpkg 3 days ago||

For a very long time I have also used unique emails for each respective service that involves in email. When I sign up for npm it is something like email_npm@example.com . This makes it very easy to whitelist and also spot phishing emails because if an email for npm is coming to mail_cccoffee@example.com it screams that something is wrong. It is not bulletproof by any means but an additional layer that costs me almost nothing but requires effort on the part of attackers.

junon 3 days ago|

That's exactly what I do, and have caught quite a lot of other phishing emails this way. They queried my npm email via the public API and sent it there.

nedt 3 days ago||

We haven't been saved by procrastination. We literally were saying "oh that's a new version, we are always behind anyway". Of course everything was still checked, but actually having the latest version on packages is almost never needed and we rather update when we have to (because version is old) instead of when there is a new version. Nothing new is that awesome.

monkpit 3 days ago||

This article makes one faulty assumption that I think is really common - the author says it could be much worse, which implicitly assumes that we have noticed and caught every other time something like this has happened.

Internally, we only noticed this because it caused a bunch of random junk to get barfed out into some CI logs.

You really can’t say that nobody has ever done this better. Maybe they just did it so well that nobody noticed.

More comments...