Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised(safedep.io)
40 points by theanonymousone 3 hours ago | 7 comments
wlkr 34 minutes ago | parent | next [-]

At this point I would very much like to get off Mr Bones' Wild Ride but I fear this is going to continue to happen because, from my own exploration at least, a large number of commercial detection strategies are directed at the repo/device/developer level when loading/using a package.

This seems analogous to how we tackle email spam and general malware. It means that there is almost always a target valuable enough for bad actors to continue trying. However, unlike email (mostly...), package managers are centralised authorities (and anything out-of-band is surely the developers problem?).

My ill-informed feeling is that we might need to change the culture of lazy versioning with rapid releases and focus on stable, deeply scanned versions at registries. There will be some effect of volume and scale so I could be off, but it still seems telling that this impacts high-churn languages more often.

I don't know, I would love a comprehensive article that explores the landscape right now.

cess11 4 minutes ago | parent [-]

Wondering about Mr Bones' Wild Ride and suspecting it might be a reference to the 1991 movie Nothing But Trouble I took a look, and found I had remembered it wrong.

The roller coaster in that movie was called Mr Bonestripper, https://www.youtube.com/watch?v=NEZEgd8GjJc .

Instead it comes from Roller Coaster Tycoon 2, https://knowyourmeme.com/memes/mr-bones-wild-ride .

As for the comparison with spam, there we kind of settled on making people accept spam by vacuuming up their email addresses in pretty much every commercial and social computer network setting, giving it a veneer of legitimacy. I think it is likely to happen in this area too, perhaps some combination of Oracle licensing surveillance agent style software and automated dependency management, i.e. 'solving' supply chain malware by whitelisting some other malware.

ares623 5 minutes ago | parent | prev | next [-]

If you think about it, this is actually a new kind of security. Security by numbers. Overwhelm the attackers with so many compromised services and devices that they get a reverse denial of service. It's inspired by nature in herd animals.

fnoef an hour ago | parent | prev | next [-]

I’m honestly at a point where I’m afraid to update any of my project’s dependencies, and I’m also afraid to run the locally without some locked down VM

exiguus 9 minutes ago | parent [-]

I also was at this point, and I decided to add cooldowns to every project.

moi2388 an hour ago | parent | prev [-]

Because of course it’s npm

type0 20 minutes ago | parent [-]

Does npm stand for "newly packaged malware"?