Postmortem: TanStack NPM supply-chain compromise

Posted by varunsharma07 16 hours ago

Postmortem: TanStack NPM supply-chain compromise(tanstack.com)

https://github.com/TanStack/router/issues/7383

896 points | 367 commentspage 3

hirako2000 7 hours ago|

> it's a known GitHub Actions design issue that requires conscious mitigation.

Okay it's a security issue, but just mitigate it as we won't fix it.

In a recent comment people asked me how come GitHub Action isn't a positive added feature since MS acquisition.

varunsharma07 16 hours ago||

The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.

janice1999 15 hours ago|

How did you guys detect it? Do you use it internally or do you monitor popular packages?

bpavuk 14 hours ago||

related: CVE-2024-YIKES

https://news.ycombinator.com/item?id=48086082

TZubiri 14 hours ago|

Life imitates art

https://news.ycombinator.com/item?id=48086082#48087028

https://news.ycombinator.com/item?id=48101453

exaroth 11 hours ago||

Installing any npm packages seems more and more like walking through the minefield at this point.

DaSHacka 2 hours ago|

And the worst part is installing one pulls like 50 bazillion others because of how dysfunctional the ecosystem is

andix 11 hours ago||

Release pipeline should probably run completely isolated from the main GitHub project.

Maybe a private project, that can't share any cache from the main project where public development is done.

Also only the publish step itself should have access to the publish tokens, and shouldn't run any of the code from the repo. Just publish the previously built tarball, and do nothing more. This would still allow compromising the package somehow in the build step, but at least stealing tokens should become impossible.

9dev 7 hours ago|

That's the case if you use pull_request rather than pull_request_target.

platinumrad 13 hours ago||

How likely is it that I have this installed if I'm not a JS developer? It seems like half of the programs on my work computer install their own JS runtime.

data-ottawa 13 hours ago|

It sounds like you can check for `~/.local/bin/gh-token-monitor.sh` or if there's an extra macOS LaunchAgent (I use LaunchPad on macOS to manage my launchctl services). You can also check systemd on linux, but I'm less familiar.

dwoldrich 13 hours ago||

Time for a shameless plug for my friend's product: dependencies built from source and served up a la carte. Removes a lot of trust issues with rando tarballs uploaded by bad actors. There's nothing quite like it.

https://www.activestate.com/curated-catalog/

ChoosesBarbecue 15 hours ago||

> Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/. (It looks like it might also have a bunch of persistence mechanisms. I haven't studied these closely.)

Jesus, that's vindictive.

mediaman 14 hours ago|

I could imagine this might also be to try cover its tracks. If it gets 40x it means it's been found, time to nuke everything it can.

zapkyeskrill 12 hours ago||

Maybe gH could, accidentally, 40x for a few minutes globally and eradicate the beast?

vldszn 11 hours ago||

Recommend adding this globally:

pnpm config set minimum-release-age 10080 # 7 days in minutes

https://pnpm.io/supply-chain-security#delay-dependency-updat...

blhack 10 hours ago|

Is there any obvious way to detect if you’ve gotten owned by this?

More comments...