Malicious npm packages detected across Red Hat Cloud Services

Posted by kurmiashish 4 hours ago

Malicious npm packages detected across Red Hat Cloud Services(github.com)

633 points | 336 comments

mnahkies 24 minutes ago|

In every of these threads there's a bunch of snarky comments, either acting like this class of attack is exclusive to npm, or that nothing has been done about it. I don't think that's fair.

There's plenty of comments mentioning delay lines, and the other good stuff pnpm (and others) have implemented in response to protect package consumers.

That bit that's getting less conversation is the tools on the package maintainer side:

- MFA for publishing: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...

- trusted publishers, available for about a year: https://docs.npmjs.com/trusted-publishers

And as of recently, staged publishing, essentially combining the best of both those features: https://docs.npmjs.com/staged-publishing

Now you can: - Publish from CI, without static credentials

- AND require a maintainer to approve it using MFA before it actually goes live to the registry

If you want you can still use something like GitHub Actions Environments protection to require multiple approvals, or a time delay, on the CI side.

We need to encourage the community to adopt these publishing protections or this will continue to be an issue.

ajross 6 minutes ago||

IMHO those are both lipstick on a pig solutions. Ultimately all this stuff is just a variation of "make releases harder to publish", which isn't going to do anything but train people to evade them. Notably, neither would have prevented the xz-utils backdoor from reaching package distribution, which remains the gold standard for sophisticated upstream compromise.

The bug here isn't that we need to better authenticate already-trusted upstreams for packages, it's that the upstreams cannot be trusted as the sole source for security at all. Upstreams are a bunch of hackers[1] who aren't really interested in, nor will ever be good at, solid release engineering practices.

But some people are! The solution in the Linux world (and the one that saved us from xz-utils) is that there is a second level of human beings responsible for reviewing, auditing, packaging, and customizing those hacker-generated upstreams for the benefit of their users. These people have different eyes, different consumer requirements and different quality metrics. And they catch bugs and malfesance that the upstreams aren't prepared to do.

NPM (and cargo/PyPI et. al.) continues to think it can short circuit this requirement for human labor. It can't.

[1] In NPM's particular ecosystem, a bunch of web jockeys used to extremely fast release processes, loose compatibility requirements, and extreme reliance on reuse. This really explains why we see this with node packages more than Python or Rust: older and more conservative programmers just don't have as many rakes to step on.

selckin 7 minutes ago||

they need to make it required for everyone, and then they'll have done something

eranation 2 hours ago||

Hope it's ok I hijack this thread again about setting up cooldowns... (copy pasting my last comment when tanstack was compromised):

I know people have opinions about cooldowns, but they would have saved you from axios, tanstack, (+ @redhat-cloud-services) and many other recent npm supply chain attacks. If you have Artifactory / Nexus, you probably already have cooldowns, but it's easy to set up if you don't. Why cooldowns? Most npm (or pypi) compromises were taken down within hours, cooldowns simply mean - ignore any package with release date younger than N days (1 day can work, 3 days is ok, 7 days is a bit of an overkill but works too)

How to set them up?

- use latest pnpm, they added 1 day cooldown by default https://pnpm.io/supply-chain-security

- or if you want a one click fix, use https://depsguard.com (cli that adds cooldowns + other recommended settings to npm, pnpm, yarn, bun, uv, dependabot and, disclaimer: I’m the maintainer)

- or use https://cooldowns.dev which is more focused on, well, cooldowns, with also a script to help set it up locally

All are open source / free.

If you know how to edit your ~/.npmrc etc, you don't really need any of them, but if you have a loved one who just needs a one click fix, these can likely save them from the next attack.

Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown, but each of them have a way to do so (described in detail in depsguard.com / cooldowns.dev) In the past few months, while I don't have hard numbers, it seems more risk has come from Software Supply Chain attacks (malicious versions pushed) than from new zero day CVEs (even in the age of Mythos driven vulnerability discovery)

pavel_lishin 1 hour ago||

A friend of mine has a github repo with references to how to set things up in sane and slightly more secure manner: https://github.com/jordanconway/package-manager-hardening

nicolewhite 1 hour ago||

From that repo:

> Exact version pinning — specifying precise versions (1.0.0, ==1.0.0, =1.0.0, = 5.31.0) rather than ranges (^, ~>, >=) in package manifests. Ranges allow any version satisfying the constraint to be resolved at install time; exact pins mean only one version is ever valid.

My understanding is that pinning the dependency within the manifest isn't the mechanism that prevents the version from changing across installs -- it's the lockfile that accomplishes this.

eranation 1 hour ago||

In most cases yes, but really depends on which package manager and what command, if you use npm ci, it uses the package-lock.json values, if you use npm install, it can use any levels of freedom in the package.json. So if you lock package.json you remove that degree of freedom. But sometimes you do want to be able to "recreate the lock file" since it does fix a CVE. Just with a lockdown, you'll get the legitimate patch vs an accidental malicious takeover.

Normal_gaussian 1 hour ago|||

> If you know how to edit your ~/.npmrc etc, you don't really need any of them, but if you have a loved one who just needs a one click fix, these can likely save them from the next attack.

This feels like a very very small group of people; and people who really could do with opening the file and adding the line.

eranation 1 hour ago||

I wish that was the case. Asking people to do something simple, doesn't matter how simple it is, depends on how simple they view it. Changing your own car's oil is actually not that hard, once you know how to do it, most people don't even try. Think of QR codes, people hardly used them for many years, because you needed to download an app for it, small step. It only started to catch up when you had it built in the camera app in most providers. In any funnel, each step, no matter how easy, adds friction, remove the friction and you get bigger adoption.

So yes, everyone could open a file and edit it, also everyone could watch a youtube video on how to do X and yet choose to have someone else do it for them :)

Normal_gaussian 1 hour ago|||

> Changing your own car's oil is actually not that hard

It is. Changing oil requires a place where you have sufficient access to the vehicle to drain it; the right equipment; the right disposal solutions. Most people who have cars do not have that. And it takes significantly more time to change your own oil than to have someone else do it as part of other specialist maintenance.

> Think of QR codes, people hardly used them for many years, because you needed to download an app for it, small step. It only started to catch up when you had it built in the camera app in most providers.

Exactly. Using a QR code app required specific knowledge of the app, an internet connection, some time, knowledge of how and when to use it, and something to use it with - the barrier of which surpassed the convenience gained from the QR code.

> So yes, everyone could open a file and edit it, also everyone could watch a youtube video on how to do X and yet choose to have someone else do it for them :)

I'm struggling to find a non-contrived group of people who:

- do not know how to open and edit a file on their system

- do use npm

- would find installing pnpm or running `sudo install -d -m 0755 /etc/apt/keyrings; curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg; echo "deb [signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" | sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null; sudo apt update; sudo apt install depsguard` simpler

Of course, cooldowns.dev is a very long winded way of telling someone to run `npm config set min-release-age=3`, which is the simplest.

jmb99 2 minutes ago|||

Changing oil requires

> a place where you have sufficient access to the vehicle to drain it

Probably the only valid argument for people who park on the street.

> the right equipment

One $5 wrench, one $10 filter wrench (optional). One set of ramps ($40), or jack stands ($30) if you already have a jack. One drain pan, $10 (or free if you're resourceful). Total cost max $65. Cheaper if you look for deals, buy used, borrow from a friend. If you can't afford $65 once to save money in the long run while owning a car, you probably should've bought a cheaper car.

> the right disposal solutions

Every oil change requires a jug of oil to be purchased. You can drain your used oil into this jug and then dispose of it along with your other household hazardous waste. This is not hard.

> Most people who have cars do not have that.

I might believe this for a place to do an oil change, maybe. I struggle to believe most, but I would believe many. Aside from that, if you don't have those things, you are choosing not to have them.

Which is kind of the point. None of these things are hard, at all. The majority of car owners 100 years ago could adjust their own timing, clean distributor points, replace belts, etc. because if they couldn't, they'd be calling for a tow truck every few hundred miles. Those are all harder, and things have only gotten easier with time. If you can't do them, you are choosing not to, because there's an even easier solution - spending more money and getting someone else to do it for you.

eranation 1 hour ago|||

That group of people is the loosely affiliated people called "vibe coders". Even to get them to install depsguard is a challenge. I just ask them to point Claude to depsguard or cooldowns and follow the instructions (to save the tokens, of course Claude can figure it what needs to be done on its own)

The issue is that Claude Code also will be super happy to npm install axios / tanstack etc unless you explicitly tell it to add cooldowns.

nicogentile 1 hour ago||

[flagged]

hedora 1 hour ago||||

In what way is "edit your .npmrc" simple?!?

The JS ecosystem is really, really complicated, so any non-trivial app is going to use multiple bundlers, node runtimes, native runtimes, etc, etc, etc.

Every one of those has a different opinion about how to spell "cooldown".

On top of that, there's the bootstrapping issue of "I want to install the N pieces of ecosystem sprawl that read the .[p]npmrc that have the cooldown directive in them. How do I do that with a cooldown?" (Where N is unknowable, because of course it is.)

StilesCrisis 1 hour ago|||

An extra $15 of labor is well worth the cost of not having to change my own oil. They will do it efficiently and won't break anything. The cost of messing up one time immediately cancels out a lifetime of DIY savings, and they are equipped to do it right.

make3 42 minutes ago|||

theoretical question, do cooldowns still work if everyone has them?

chillax 40 minutes ago|||

Companies such as socket and safedep will still scan new packages and alert on malware (if they are able to detect it) so the packages are taken down before they pass your cool down

ZiiS 41 minutes ago|||

Less well maybe but yes. Security researchers still proactively test them, and the maintainer has a much better chance of catching it themselves.

doctorpangloss 1 hour ago||

> Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown,

by now, you should have received the feedback about why cooldowns don't make sense and why nobody is adopting them. look, you are writing an expression of the reason why right there.

eranation 1 hour ago||

I don't agree that nobody is adopting them. Can you please elaborate?

- Most companies I know have a 24 hours (at least) cooldown via their Artifactory / Nexus. They have ways to bypass it for urgent CVEs

- pnpm just adopted 24 hours cooldown as default, based on community feedback.

doctorpangloss 1 hour ago||

what is the difference between these two things from the point of view of how much work you have to do?

- checking every update of every dependency to see if is a relevant urgent security update

- checking every update of every dependency to see if it turns out to be a supply chain exploit

am i still checking every update of every dependency? there's no heuristic here. either you check them all, or you get randomly exploited - either by using known vulnerable software or from supply chain attacked software.

dmix 4 hours ago||

Our company uses yarn 4 which has an option to prevent you from installing an npm package for the first number of days of its release. Most of these seem to be caught within that timeframe (1-3 days).

https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

0xbadcafebee 2 hours ago||

The package event-stream was compromised and went unnoticed for 60 days: https://medium.com/intrinsic-blog/compromised-npm-package-ev...

The package axios was compromised, and hijacked the author's credentials, so every attempt at a fix was unfixed. https://www.trendmicro.com/en_us/research/26/c/axios-npm-pac...

The xz utility was backdoored for 2 months: https://gigazine.net/gsc_news/en/20240403-timeline-of-xz-ope...

A student researcher took over Python ctx and PHPass package maintainership, pushing out malicious changes, and that took over 7 days to be detected and fixed: https://infosecwriteups.com/how-i-hacked-ctx-and-phpass-modu...

Kaspersky found multiple PyPI packages that had been exploited for more than a year: https://www.kaspersky.com/about/press-releases/kaspersky-unc...

"LoftyLife" packages were exploited for several months: https://securelist.com/lofylife-malicious-npm-packages/10701...

Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days.

pixl97 1 hour ago|||

Instant attacks are much easier and more common than delayed attacks. Security is an onion.

Sayrus 2 hours ago|||

> Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days.

Many automated scanners use static code analysis rather than run the installation script. Not all of them are caught, but a good part of them are and you'd be saved by a delay.

mihaelm 3 hours ago|||

`pnpm` also has that and it's on by default since `v11`:

https://pnpm.io/settings#minimumreleaseage

vinnymac 3 hours ago||

It’s on by default in yarn 4 too now, but pnpm was the first to market that default minimum gate.

https://github.com/yarnpkg/berry/pull/7135

user3939382 2 hours ago||

If this were a universal default, would the strategy defeat itself?

zwily 58 minutes ago|||

Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)

Normal_gaussian 1 hour ago|||

No.

Many places run analyzers on published code; many security users have reason to shorten the period. The default period becomes the period where white hats have a chance to detect it and stop it passing the threshold.

wg0 2 hours ago|||

If everybody starts to delay for 3 days, wouldn't it be the case that everyone would discover it on the 3rd day?

pixl97 1 hour ago|||

Most attacks are discovered 'pretty quickly' via scanning services and groups that monitor repositories. The problem is even an hour gap could mean tens of thousands of downloads and executions.

cortesoft 2 hours ago|||

Vulnerability scanners and security researchers would be looking those first 3 days

iwhalen 4 hours ago|||

uv supports the same for any Python developers out there: https://docs.astral.sh/uv/concepts/resolution/#dependency-co...

KORraN 3 hours ago|||

pip has recently added a similar option, i.e.

`pip install --uploaded-prior-to P7D pre-commit`

https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-upl...

no-name-here 2 hours ago||||

Sadly I haven't seen that Visual Studio/Rider/dotnet/VS Code have such a feature for the C#/dotnet/nuget ecosystem.

orphea 2 hours ago||

Yep, a bummer. The devs don't even consider it a priority, too busy designing the feature:

https://github.com/NuGet/Home/issues/14657#issuecomment-3573...

darth_avocado 4 hours ago|||

And somehow poetry doesn’t in 2026.

armanckeser 3 hours ago|||

I don't use poetry anymore but do check the updates before claiming such things

https://python-poetry.org/blog/announcing-poetry-2.4.0/

darth_avocado 36 minutes ago|||

Fair, I didn’t do a “as of this morning check”. Should’ve done better. It’s sad because I moved away exactly because this feature was missing and now I’m not going back.

genxy 2 hours ago|||

May 3rd 2026. Release too new, didn't read.

dist-epoch 3 hours ago|||

so? nobody uses it anymore

darth_avocado 4 hours ago|||

There is something to be said about the need to keep all the packages as the latest and the greatest at all times. Every minor version update doesn’t need to be immediately applied. And maybe high and critical vulnerabilities don’t need to be a minor version upgrade.

Waterluvian 3 hours ago|||

I’m having a real problem at work with security theatre and the growing push to obsess over numbers of “vulnerabilities” in our projects. And then auto Dependabot PRs that encourage churn to fix issues that if an informed person actually reviews easily concludes it doesn’t affect us in the slightest.

red-iron-pine 41 minutes ago||

[dead]

chrisweekly 3 hours ago|||

"maybe high and critical vulnerabilities don’t need to be a minor version upgrade"

huh? what do you suggest instead?

darth_avocado 3 hours ago||

A separate pathway to updates. At the moment there is a pressure to keep all the packages updated at all times. Every time a new version of a random package deep in the dependency tree gets published, you roll a dice: is it a bunch of bug fixes that I don’t care about or a vulnerability patch that need to apply immediately? Since it could be either most devs just auto pilot on updates. This creates an environment where newly introduced vulnerabilities get promoted rather quickly before the version matures. Sure, waiting a few days to update a package sounds great, but there is no guarantee that the vulnerability will be found quickly.

To give you a context, I get 20-30 PRs a week across all my repos with potentially hundreds of packages (non distinct) from dependabot. I give it a cursory look and try to get a summary of changes. Do I evaluate every single package update? Nope.

kylebebak 2 hours ago|||

npm supports this now as well, with e.g. `min-release-age=7` in `.npmrc`

winrid 2 hours ago||

not if you have internal repos?

hedora 1 hour ago||

I think you can set it on internal repos, but then you need to allow-list internal code. People act like this is simple + solved, but it's not. It turns into 100K-1M's of LLM tokens on a semi-regular basis, or "just hire a build infra team for your side project" pretty quickly.

phoronixrly 4 hours ago|||

What happens when everyone adopts this policy? You just change it to two weeks?

blm126 4 hours ago|||

The one week cooldown option is not relying on other users to be a canary for you. Its just giving automated scanners a chance to notice. This is the perfect example. I don't think step security found this by accident. They are actively monitoring NPM package releases at some level.

There is something to be said that Microsoft should be scanning packages pre-release. They aren't, though, so for right now there is a ton of value with very little downside if people implement a one week cooldown period.

To answer your question directly, though. If everyone else moves to a one week cooldown, I would absolutely suggest a two week cooldown is a good idea. Being the "slow" moving organization is a good security trade-off so long as you don't take it to extremes and have escape hatches when you actually need to be moving quickly.

hedora 1 hour ago|||

There's a really bad implicit assumption in there: Microsoft's scanners have solved the halting problem, so they can tell if a package update will ever flip to malicious mode, or has an intentionally inserted security hole in it.

Of course, this also assumes that Microsoft's internal scanners are much better than the scanners available to the attackers, since any reasonable attacker is going to just run their obfuscated code through a scanner as part of their CI job. (And maybe even use the MS scanner as an oracle by submitting fragments to NPM to see which pieces of their exploit chain get flagged.)

Waiting until everyone else canaries is much stronger, but even that doesn't work on a targeted attack.

phoronixrly 3 hours ago|||

Thank you for the thorough response. I got the following from yours and other responses:

* The JS ecosystem has been and will most likely continue to be fast-moving, so it's quite a safe assumption that at no point will a quarantine period be wide-spread.

* This quarantine period is for (semi-)automated scanners to catch the issue. Although considering the above there will always be a non-zero amount of end-user canaries as well.

* Maybe NPM should run scanners before distributing malware?

* If the ecosystem by any chance adopts a week-long quarantine period, you'd be safer if you applied a longer quarantine period.

_flux 2 hours ago||

> Maybe NPM should run scanners before distributing malware?

I suspect there's always a human checking these results. If NPM straight out rejects an update due to suspected malware, they might end up rejecting correct updates as well. If they grant some "safe" patterns a special pass, they might get exploited.

So I think this only works if you have security scanners that are well-maintained and kept in secret. NPM folks could of course co-operate with some security companies to have a first stab with the releases before they are put to public access. At some point some parties might start want to have monetary compensation for such an arragnement, though.

phoronixrly 2 hours ago||

Look, nobody requested fully automated scanners that are never wrong. A scanner that asks the project owner to sign in with 2fa and confirm the release in case it's been flagged is going to be more than sufficient.

JoshTriplett 4 hours ago||||

A large array of automated and semi-automated security scanners are finding things quickly. The main benefit of waiting before updating is to give those scanners time to work.

genxy 2 hours ago||

Would be nice if cargo had a cooldown flag and could respect lockfiles by default.

dbdr 1 hour ago||

min-publish-age in cargo is coming:

https://github.com/rust-lang/rfcs/blob/master/text/3923-carg...

Ukv 3 hours ago||||

Security scans and authors realizing an unauthorized version was pushed will generally happen regardless of whether regular users updated. Even for compromises that are found by users updating, it'd generally be better to reduce the number of people affected with a slow roll-out rather than everyone jumping on at once.

Tomte 4 hours ago||||

You rely on the security companies scanning the packages.

exitb 4 hours ago|||

Well, if that actually works, it should be part of the release process, before the packages get placed onto the regular channels.

pixl97 1 hour ago|||

It works because there are multiple companies doing it and double checking the results.

For example, is a crypto miner actually an attack? If the package presents itself as a miner, then no. Is connections to other repositories an attack? Again, depends on what the package does. Connections to some other hostname? Depends.

There is still a lot of human analysis that occurs in making the call that an attack is occurring.

blm126 3 hours ago|||

I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package.

None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually.

ZiiS 3 hours ago||||

@exitb it is much more desirable for security scanning companies to compete to find issues in a timely manor. If npm blessed one as a gatekeeper to the whole system they would be between a rock and a hard place. Unable to priorities high impact packages over the long tail of packages no one uses without pissing people off. Unable to add experimental new detections that may be a little noisy at first due to the huge disruption it would cause. Be trivial to game as obscure packages could brute-force their way though then use the same hole on a mainstream package.

sandos 4 hours ago|||

Then the ... malware will just add delays? Or do they really do manual in-depth analysis of all new code? Just running and seeing it do things is probably a lot easier.

Ukv 2 hours ago||

Security scanners won't be "manual in-depth analysis of all new code" or "Just running and seeing it do things", but somewhere in-between - utilizing static analysis/machine learning. It's a cat-and-mouse game, but the attacker adding code that waits X days to run something obfuscated would be another pattern that they could look for.

I think these attackers are unlikely to add a delay in the first place because the chance of their attack being found out before it activates would be too high. They seem to generally work on the assumption that they have a day or so before the package is yanked (e.g: from maintainer noticing their account is compromised) so need to move fast.

BoredPositron 4 hours ago||||

Always one day more than people on HN tell you. If something is compromised you will hear people complaining here that three days is not enough.

bakugo 3 hours ago|||

This will never happen unless it's made the default. Most people will always stick with the defaults.

olejorgenb 3 hours ago||

pnpm also support this

dmix 3 hours ago||

The gist link above covers how to use it in yarn, npm, and pnpm

insanitybit 3 hours ago||

Just some suggestions:

1. Dependency cooldowns of 1-2 days seem to be extremely effective without negatively impacting your ability to patch for CVEs.

2. Anywhere you have `npm install` or `npm test` or anything where code executes, that should happen in an environment that has no privileges. In your github actions you can do this semi-straightforwardly by using two separate jobs - one to build the artifacts and test them, another to do any sort of publishing, signing, etc. If you use AI, add a skill / guidance to enforce this pattern.

3. If you use Github Actions, install the latest version of zizmor. It will significantly improve your posture.

(2) means that you are no longer "wormable", which is a massive part of the problem that we have today. (1) gives companies more time to respond to the attacks.

There are some vendors in this space that you can and should evaluate as well.

spockz 58 minutes ago||

Should we instead of these cooldowns just run builds in isolated contexts?

I’m running a maven proxy locally. All builds happen inside containers. I only use public repos for python, npm, and go. So these builds happen also in containers but don’t need a repository proxy.

insanitybit 42 minutes ago||

> Should we instead of these cooldowns just run builds in isolated contexts?

I'd suggest both. Cooldown for 1-2 days is very cheap and you likely won't even notice it, so it's quite harmless and from what I've seen even just 24 hours is enough to let security companies pick up malware.

But yeah, isolation is a must-have.

spockz 11 minutes ago||

At this point, is there an obligation of package managers, or at least npm to arrange the sandboxing themselves?

Or as us or companies to wrap the build tools to provide the wrapping for them.

pixl97 1 hour ago|||

>install the latest version of zizmor.

What if it gets compromised?

More of a joke. But was funny after saying that new packages should be delayed.

insanitybit 1 hour ago||

lol yeah I thought of that as typing but figured I'd avoid the complexity. "latest version" means, give or take, whichever the latest one was that contained a bunch of new rules around supply chain stuff.

tmpz22 2 hours ago||

> anything where code executes

ALL the agentic orchestrators like codex, claude-code, etc. seem to do this by default.

gbuk2013 4 hours ago||

I came across this interesting rant the other day: https://github.com/uNetworking/uWebSockets.js/blob/master/mi...

It does make sense that the right way would be to fork every dependency you use and install from your own repo reviewing and merging from upstream as needed. Would be a giant PITA though. :)

Cthulhu_ 3 hours ago||

Nothing that couldn't be automated; in Go land this is (arguably) called vendoring (https://go.dev/ref/mod#vendoring). Good to offload or reduce dependencies on 3rd party dependency hosters, pull a dependency into your own code review tools, and to ensure reproducible builds long term.

Izkata 3 hours ago|||

It's a generic and very old term for committing dependencies to your repo, it's not go-specific.

gbuk2013 3 hours ago|||

I mean there’s nothing stopping you from committing node_modules to git (after running something like https://github.com/timoxley/cruft on it) and reviewing code changes on dependency updates.

I even managed to make that part of the workflow on one team I worked with but several other teams since thought it was a crazy idea. :)

Bilal_io 3 hours ago|||

The problem would be the dependencies of your dependencies, and keep going many levels.

nafey 2 hours ago|||

The problem is that node.js doesn't have a good standard library so one must rely on external packages to build even basic apps.

skydhash 2 hours ago||

Can you tell us what exactly is missing? A network api? Process execution? IO? Math?

nafey 1 hour ago||

From this we can see a few patterns: https://www.npmleaderboard.org/

Node.js doesn't have good support for regex, handling files, streams, serving static html, routing, operations on lists/dicts.

pipo234 3 hours ago|||

But presumably, you only include dependencies that you trust and those dependencies themselves do their trusting more strictly than you. Trust is built on vetting, signatures and reputation.

That is, at least what we do, in theory. In practice, we cross fingers and let the LLM pick dependencies, are satisfied if it just works and we either update our deps frequently or infrequently.

jruohonen 2 hours ago|||

> Trust is built on vetting, signatures and reputation.

https://news.ycombinator.com/item?id=47017833

Well, now with an irony, but sadly, of course.

no-name-here 2 hours ago|||

Would Red Hat be considered a trusted/reputable vendor? :-D

repelsteeltje 3 hours ago|||

That might change the odds, but unless you fork diligently (and monkeypatch each and every future vulnerability) you might ship a compromised fork forever.

olejorgenb 3 hours ago||

Except most of the attacks so far has not landed actually source code changes to git IIRC. They have targeting the release files directly.

lights0123 3 hours ago||

Software vulnerabilities are often not placed maliciously, and are present in the original source. If you don't patch them if discovered later, you'll be vulnerable to them.

whynotmaybe 2 hours ago|||

Shouldn't you also restrict version number for a package not just the latest?

dboreham 3 hours ago|||

I think the general idea that your supply chain should be rooted in source repositories and associated commit hashes is the right one. Tooling can be made to automate the process of putting together a product from those defined sources. Some languages/systems already have some support for this. E.g. Golang and Rust. The concept of a "binary" artifact is really dead now everyone uses git and builds are quick. It lives on in things like npm and docker hub but we don't actually need it.

Zardoz84 1 hour ago||

DUB , for D Lang does that.

paulddraper 2 hours ago|||

The problem is the volume of dependencies. Most modern JavaScript, Python, Rust, Go, etc. projects have many dozens of transitive dependencies.

marcosdumay 2 hours ago|||

Hum... You should check your JavaScript numbers again.

I have never seen a project that uses npm and has only dozens of dependencies. Normal numbers are in the 10s of thousands (including different versions of some deps).

mbreese 2 hours ago|||

Let’s not ignore that dependencies are far more common in JS than any of those other languages. My Go or Python projects generally only include a handful of external packages. Node projects on the other hand…

paulddraper 2 hours ago||

My requirements.txt does tend to be shorter than package.json, but not by a massive amount.

twodave 4 hours ago||

For smaller shops (by small I mean <1,000 employees) this isn't even tenable. We (engineering team of about 10 people) mitigate what we can via tooling and cooldown periods/minimum release age. This will work as long as these malicious packages remain reasonably detectable. I think that's the proper balance, because we can adjust the # of days we are willing to risk against the SOTA of detection tooling.

kitd 3 hours ago||

Hmm, same day as RH and IBM announce Project Lightwell to help detect and fix supply chain vulns.

https://www.redhat.com/en/lightwell

rectang 32 minutes ago||

About a week ago, I uninstalled Node from my laptop, which felt great. :)

I'm trying to do all work in dev containers (or other sandboxes), limiting the blast radius if I'm unlucky enough to be hit by an exploit. The attackers may get a Claude token, but they won't easily be able to escape the container and scan my home dir.

Cooldowns and allow-listing of installer scripts are good additions to layered security, especially for CI. However, I think the fundamental thing that needs to change is the OS permissions model. The default of trusting third-party software with everything your user has access is no longer workable.

mellosouls 3 hours ago||

Should link to the original announcement I think:

https://www.stepsecurity.io/blog/multiple-redhat-cloud-servi...

nailer 3 hours ago|

Yes. Also Red Hat is misspelt in the title.

king_zee 4 hours ago||

I've made it a habit now to use the --before=2026-05-30 flag when installing packages, where it'll pick the version released before the date you specify, I usually pick around 5 days ago

t-sauer 2 hours ago||

If you use npm 11, you can simplify your workflow by setting min-release-age to 5. https://docs.npmjs.com/cli/v11/using-npm/config#min-release-...

mihaelm 3 hours ago|||

I just use `pnpm` and set up a liberal `minimumReleaseAge`: https://pnpm.io/settings#minimumreleaseage

Thankfully, it's on by default since v11.

sync 2 hours ago|||

If using straight npm (v11.10.0 or higher), you can just add to .npmrc in the project root:

min-release-age=5

sourcegrift 3 hours ago||

Yarn 4 can automate this

vinnymac 2 hours ago||

In case others are unaware, you just have to set https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate to the value you want. It defaults to 1 day.

lepuski 2 hours ago|

Qubes offers the strongest protection against these threats. It's surprising it isn't more commonly adopted.

More comments...