Active Npm Supply Chain Attack: Tinycolor and 40 Packages Compromised

Posted4 months agoActive4 months ago

feross

85 points

36 comments

socket.devTechstory

skepticalnegative

Debate

60/100

NpmSupply Chain AttackSecurityMalware

Key topics

Npm

Supply Chain Attack

Security

Malware

A recent supply chain attack compromised 40 packages in the NPM ecosystem, including Tinycolor, and the community is discussing the implications and potential mitigations. The attack highlights the ongoing security concerns in the NPM ecosystem.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

37m

Peak period

6-9h

Avg / period

Comment distribution36 data points

Loading chart...

Based on 36 loaded comments

Key moments

01Story posted
Sep 15, 2025 at 7:29 PM EDT
4 months ago
Step 01
02First comment
Sep 15, 2025 at 8:06 PM EDT
37m after posting
Step 02
03Peak activity
9 comments in 6-9h
Hottest window of the conversation
Step 03
04Latest activity
Sep 17, 2025 at 1:45 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (36 comments)

Showing 36 comments

JonChesterfield

4 months ago

3 replies

AI detected potential malware. Plus a bunch of words. Is this a real thing? It does look like all the other npm compromise notes. But the page has AI and potential written on it, so the whole thing may be fabricated, and there are no other comments here.

So on balance I guess I'll ignore it. What a time to be a developer.

ferossAuthor

4 months ago

1 reply

Founder of socket.dev here. “AI detected potential malware” is what we call the alerts generated by our automated malware detection engine that runs on all newly published open source packages in real-time. However, these alerts are reviewed by our threat research team and once a human has confirmed the finding, we upgrade it to “Known malware”.

At this point (given we just published research about this) we've upgraded this threat to Known malware.

So in short:

- “AI detected potential malware” = automated system found something suspicious

- “Known malware” = human confirmed it’s real

The wording is intentional because not every automated hit ends up being true malware. It’s better to give developers early visibility into possible threats, even if they turn out to be benign, than to miss a real attack.

junon

4 months ago

TIL you're the founder of Socket. Thank you (and your team) for the help last week.

ATechGuy

4 months ago

Speculating based on another post: "...our investors are pushing us hard to frame it as AI..."

seanieb

4 months ago

socket.dev is a well known a reputable company, and their founder is pretty well known and trusted too. And looking that their blog post it looks like detected a real attack.

kevin_thibedeau

4 months ago

1 reply

To avoid LeftPad 3.0 they're going to have to add some sort of signed capabilities manifest to restrict API access for these narrow domain packages. Then attackers would limited to targeting those with network privileges.

lrvick

4 months ago

1 reply

Package signing of any kind was ruled out in 2013 for nonsensical reasons https://github.com/npm/npm/pull/4016

____tom____

4 months ago

1 reply

Time to revisit, clearly.

tmpfs

4 months ago

Agreed, more than time to revisit. I have stopped using npm entirely because of their cavalier attitude to security.

Code signing could and should have been implemented years ago. It's not a panacea but just part of defense in depth.

I can't trust npm whatsoever to do the right thing at this point.

aussieguy1234

4 months ago

1 reply

They're scanning for credentials. If they can get things like AWS credentials, I would expect to see cloud crypto mining as their next move. So it would be a good idea to keep an eye on your infra if you are affected.

lrvick

4 months ago

Anyone that has production AWS creds in the same operating system they randomly execute unreviewed code on the internet on should have their access revoked.

efortis

4 months ago

2 replies

Mitigate it with:

  echo "ignore-scripts=true" >> ~/.npmrc

https://blog.uxtly.com/getting-rid-of-npm-scripts

wrs

4 months ago

2 replies

Some packages have install scripts that actually need to run (e.g., esbuild).

pnpm refuses to run install scripts from packages you haven’t manually authorized, which helps a bit.

efortis

4 months ago

1 reply

Yes, at the end of that blog there are two options for that:

  npm install --ignore-scripts=false package-i-trust

Or, trigger the installation script:

  node node_modules/puppeteer/install.js

wrs

4 months ago

1 reply

The pnpm version of this is persistent. You approve the package once, and regular install works thereafter. Which is nice.

DemocracyFTW2

4 months ago

1 reply

is that permission tied to a specific version with a specific fingerprint/hash? because if it's not then you could still get a surprise come the next update...

wrs

4 months ago

It is by package name, but at least you won't be surprised when left-pad suddenly has an install script.

You can put a fingerprint on the package dependency itself, though, so if you add a fingerprint to anything you approve the install script for, you will get that level of safety.

lrvick

4 months ago

pnpm cannot be built from source without an existing pnpm binary making it ineligible for inclusion in any reproducible Linux distro, for good reason, as there is no way to rule out a trusting trust attack.

Pnpm should be considered for hobby use cases only.

lrvick

4 months ago

2 replies

And then the vulnerable code will just move to shell execs in the main library that fire the next time you include the library in your project.

If you do not have time to review a library, then do not use it.

singulasar

4 months ago

2 replies

I'm so sick of people saying this. If you use js for any non-tiny project, you'll have a bunch of packages. Due to how modules work in js, you'll have many, many sub dependencies.

Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions.

If you have time to review every package, every time it updates, you might as well just write it yourself.

Yes, this is a problem, no reviewing every dependency is not the damn solution

efortis

4 months ago

1 reply

Show them this Ken Thompson paper of 1984: "Reflections on Trusting Trust"

https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

And then hardware compromises…

I don't mean install anything. I mean, it's not a problem particular to the JS ecosystem.

lrvick

4 months ago

1 reply

I full source bootstrapped a Linux distro from hex0 all the way to nodejs binaries just to deal with trusting trust risks.

"just give up" is not a valid strategy.

https://codeberg.org/stagex/stagex

efortis

4 months ago

1 reply

where can I follow you? blog, x?

lrvick

4 months ago

https://lance.dev has my mastodon etc. My friends and I also run the #! community, https://hashbang.sh #!:matrix.org

lrvick

4 months ago

I have built and shipped production web applications for many large orgs with millions of users. Used 1-2 libs tops that i reviewed myself.

Also now as someone that runs a security consulting firm, we absolutely have clients that review 100% of dependencies even when it is expensive.

Both are valid options.

Normalized negligence is still negligence.

efortis

4 months ago

I partially agree, but that does mitigate it. The report says the attacker injected a `postinstall` script, which is common.

On the other hand, yes, an attack at code level, or a legit bug wouldn't be prevented.

jimmyl02

4 months ago

2 replies

this being the 2nd large compromise of the week is not boding well from the NPM ecosystem...

supply chain is and has been the new gold mine for bad actors it seems

seanieb

4 months ago

1 reply

There have been practical suggestions that could prevent this but NPM has not yet adopted:

- Prevent publishing new package versions for 24–48 hours after account credentials are changed.

- Require support for security keys.

lrvick

4 months ago

1 reply

The most important is just having authors sign their code and packages, and verifying code that is signed on download, like every sane Linux distro goes.

Except NPM rejected this over and over going back to 2013.

https://github.com/npm/npm/pull/4016

andycaine

4 months ago

1 reply

Some of the reservations around GPG and PKI are understandable. GPG signing clearly works for OS package managers where there is more control, but it's been a failure on PyPi, RubyGems and Maven.

I'd love to see npm adopt keyless signing like PyPi are doing with https://peps.python.org/pep-0740/.

lrvick

4 months ago

1 reply

Keyless signing is not a real thing. Trust online is always anchored to keys, even if short lived. Keyless signing just means letting a centralized oracle blind sign for you with trust anchored in a CA key of some kind in most cases, that an unknown number of people can tamper with.

Also GnuPG is not PGP.

My team and I dual PGP sign all packages in stagex with smartcards after confirmed determinstic builds. It works great, and avoids trust in any single party or computer. We even do this for all our python packages as pip will not allow it.

It is a single command with a rust binary to setup a PGP smartcard out of the package, with a backup. (keyfork) All devs should be PGP signing releases, reviews, and commits so we have a paper trail blackhats cannot inject themselves into.

There are no excuses other than misconceptions and misinformation on this topic being normalized.

andycaine

4 months ago

That's great - PGP signing works for you in your org.

But the fact is it hasn't worked for package repos like PyPi, and it won't for npm, because in a distributed, low-trust ecosystem like npm, you can't easily bind identities to PGP keys or have any confidence in the key management practices of package signers.

And of course "keyless" signing isn't literally keyless. But tools like sigstore remove the need for the management of long-lived keys and can bind a signature to an identity verified by a trusted IdP, solving some of the main issues with adopting PGP signatures.

lelanthran

4 months ago

NPM has bigger problems - no adults in the room! For example, they've been rejecting signed packages since 2014 or thereabouts?

Expect npm repos to be overflowing with AI-submitted crap that will lower the signal substantially due to not having any sort of identify via signing.

alex_suzuki

4 months ago

1 reply

Nice little Dune reference in there: The malware installs a Github action if it finds an access token, and names it 'shai-hulud-workflow.yml'. Shai Hulud is the Fremen term for the sandworms on Arrakis.

danieldspx

4 months ago

1 reply

I if you think that last week attack was s1ngularity that can be related to wormhole, now we get this shai-hulud that is actually a worm. Funny right? They are similar attacks also. This funny coincidence was described by someone at Aikido Security.

ramimac

4 months ago

It's not a coincidence - this attack is directly downstream of s1ngularity

View full discussion on Hacker News

ID: 45256210Type: storyLast synced: 11/20/2025, 8:42:02 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN