We all dodged a bullet

Posted by WhyNotHugo 4 days ago

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

822 points | 483 commentspage 6

ChrisArchitect 4 days ago|

NPM debug and chalk packages compromised

https://news.ycombinator.com/item?id=45169657

jongjong 3 days ago||

My open source projects were not affected but close call. I was using 2 of the dependencies (as sub-dependencies) but older versions. Seems that my philosophy of minimizing the number of dependencies and looking up dependency authors is paying off.

I saw this kind of thing coming years ago. I never understood why people were obsessed with using tiny dependencies to save them 4 lines of code. These useless dependencies getting millions of weekly downloads always seemed very suspicious to me.

arunc 3 days ago||

Trying to read this on Brave on Android and I couldn't get past Anubis. Does anyone else observe the same?

umvi 3 days ago||

"A little duplication is better than a little dependency"

- Golang Proverb (also applies to any other programming language...)

zamalek 4 days ago||

WebAuthN/fido/passkey should be mandatory to publish a package with >N downloads. Email and TOTP codes can be MITMd.

dzogchen 4 days ago||

Lazy conclusion. People can and have been validating dependencies. We need an npm proxy with validated dependencies.

mayhemducks 4 days ago||

`Object.getPrototypeOf(obj)[Symbol.iterator] !== undefined`

There I fixed it. Now I don't even need the package array-ish!

junon 4 days ago|

`Symbol` wasn't supported when I wrote `is-arrayish`. Neither were spreads. It was meant to be used with DOM lists or the magical `arguments` variable.

empathy_m 4 days ago||

How much money did the attackers make?

ruuda 4 days ago||

I'm not sure whether the compromised packages were the source of Kiln's API compromise, but it's plausible. It lead to theft of $41M worth of SOL. https://cointelegraph.com/news/swissborg-hacked-41m-sol-api-...

junon 3 days ago||

These were different. The vulnerable packages wouldn't have caused an API exploit vector except in the most bizarre of edge cases I suppose.

zahlman 4 days ago|||

According to a crypto tracking site linked indirectly via the other popular submission, about $500 worth of crypto.

gazaim 4 days ago||

5 cents of eth and $20 of a meme coin.

beefnugs 3 days ago||

We didn't dodge anything, this is just 1 of 1000 publicly found and reported on

thefifthsetpin 4 days ago|

Allowing just anybody to rent npmjs.help feels like aiding and abetting.

ameliaquining 4 days ago|

Who should have stopped this from happening and how should they have gone about doing so?

More comments...