Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM(aikido.dev)
101 points by birdculture an hour ago | 22 comments
nathan_compton 35 minutes ago | parent | next [-]

I never, ever, do development outside of a podman container these days. Basically if I am going to run some code from somewhere and I haven't read it, it goes in a container.

I know its not foolproof, but I can't believe how often people run code they haven't read where it can make a huge mess, steal secrets, etc. I'll probably get owned someday, I'm sure, but this feels like a bare minimum.

netdevphoenix 15 minutes ago | parent | next [-]

> if I am going to run some code from somewhere and I haven't read it, it goes in a container

How does this work? Every single npm package has tons of dependency tree nodes

Lutger a few seconds ago | parent | next [-]

Everything runs in the container and cannot escape it. Its like a sandbox.

You have to make sure you're not putting any secrets in the container environment.

swsieber a few seconds ago | parent | prev [-]

I didn't read this as separate containers.

rco8786 25 minutes ago | parent | prev | next [-]

How are you doing this in practice? These are npm packages. I don't see how could reasonably pull in Posthog's SDK in a container.

christophilus 23 minutes ago | parent [-]

What do you mean? You can drop into bash in a container and run any arbitrary command, so `npm install foo` works just fine. Why would posthog's SDK be a special case?

LeifCarrotson 5 minutes ago | parent [-]

I think the issue is more about what else has to go into or be connected to that container. Posthog isn't really useful if it's air-gapped. You're going to give it keys to access all kinds of juicy databases and analytics, and those NPM tokens, AWS/GCP/Azure credentials, and environment variables are exactly what it exfiltrates.

I don't run much on the root OS of my dev machine, basically everything is in a container or VM of some kind, but that's more so that I can reproduce my environment by copying a VMDK than in an effort to limit what the container can do to itself and data it has access to. Yeah, even with root access to a VM guest, an attacker they won't get my password manager, personal credit card, socials, etc. that I only use from the host OS... But they'll get everything that the container contains or has access to, which is often a lot of data!

myaccountonhn 16 minutes ago | parent | prev [-]

I ssh into a second local user and do development there instead with tmux.

smallerfish 4 minutes ago | parent | prev | next [-]

Because PostHog's "Talk to a human" chat instead gets a grumpy gatekeeping robot (which also doesn't know how to get you to a working urgent support link), and there's nothing prominently on their home page or github about this:

Hey PostHog! What version do we need to avoid?

xnorswap 7 minutes ago | parent | prev | next [-]

Perhaps it's time to organize a curated "stable" stream for npm packages.

If I want more stability for my OS I can choose Debian-stable rather than Ubuntu-nightly.

But for npm, there doesn't seem to be the same choice available. Either I sign up to the fire-hose or I don't.

I can choose to only upgrade once a month, but there's a chance I'm still getting a package that dropped 5 minutes before.

jamietanna 4 minutes ago | parent | prev | next [-]

See also: https://news.ycombinator.com/item?id=46005111

As it arguably would have reduced impact

(I'm one of the Renovate maintainers and have recently pushed for this to be more of a widely used feature)

QuantumNomad_ 32 minutes ago | parent | prev | next [-]

Typo in title. Current title of HN post says:

> SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM

Should be Shai-Hulud, not SHA1-Hulud.

pezezin 3 minutes ago | parent | next [-]

The worm itself is posting the secrets in Github with the name Sha1-hulud: https://github.com/search?q=sha1-hulud&type=repositories

adzm 23 minutes ago | parent | prev | next [-]

That said, the secrets are uploaded to a repo named `Sha1-Hulud: The Second Coming`

zahlman 22 minutes ago | parent [-]

Ah, I missed that detail.

zahlman 23 minutes ago | parent | prev [-]

I don't know why you were downvoted. The actual page does not say SHA1, the attack as far as I know is not related to the SHA1 algorithm, and the name of the worm isn't intended as that sort of pun.

ChrisArchitect 14 minutes ago | parent | prev | next [-]

[dupe] Discussion: https://news.ycombinator.com/item?id=46032539

benzible 39 minutes ago | parent | prev [-]

Dup https://news.ycombinator.com/item?id=46032539

a4isms 27 minutes ago | parent | next [-]

Please use the word "Dup" for a resubmission of the same link and "See also" for a different submission.

swsieber 32 minutes ago | parent | prev | next [-]

This article has quite a bit more information though.

thih9 32 minutes ago | parent | prev | next [-]

Not a dup, this is a different article about the same event, with different information too.

neogodless 17 minutes ago | parent | prev [-]

See also: https://news.ycombinator.com/item?id=46032539 Shai-Hulud Returns: Over 300 NPM Packages Infected (helixguard.ai)

~6 hours ago | 430 comments