Crowdstrike Packages Infected with Malware (and other 167 packages infected as well)

Posted by Advocatemack@reddit | programming | View on Reddit | 225 comments

sigh.... Kinda getting sick of writing these, absolutely insane the pace of supply chain attacks anyway...
The same ThreatActors behind the NX S1ngularity attack have launched a self-replicating worm, it's infected 187 packages and its terrifying.

Yesterday a software developer Daniel Pereira noticed a weird repo being created.... when he looked into it he was the first to realize that actually tinycolor was infected with malware. He reached out to multiple people, no one took him seriously until he reached out to Socket who discovered that 40 packages were compromised.

Fun story, a little concerning but honestly this happens a lot so it's not crazy.... But then it got worse, so much worse.

When I woke up, our lead researcher Charlie Erikson had discovered that actually a total of 187 packages were compromised (147 more than Socket had reported) 20 of which were from Crowdstrike.

What does the worm do

Harvest: scans the host and CI environment for secrets — process.env, scanning with TruffleHog, and cloud metadata endpoints (AWS/GCP) that return instance/service credentials.
Exfiltrate (1) — GitHub repo: creates a repo named Shai-Hulud under the compromised account and commits a JSON dump containing system info, environment variables, and collected secrets.
Exfiltrate (2) — GitHub Actions → webhook: drops a workflow .github/workflows/shai-hulud-workflow.yml that serializes ${{ toJSON(secrets) }}, POSTs them to an attacker webhook[.]site URL and writes a double-base64 copy into the Actions logs.
Propagate: uses any valid npm tokens it finds to enumerate and attempt to update packages the compromised maintainer controls (supply-chain propagation).
Amplify: iterates the victim’s accessible repositories, making them public or adding the workflow/branch that will trigger further runs and leaks.

Its already turned 700 previously private repositories public This number will go down as they are removed by maintainers

if you remeber the S1ngularity breach this is the exact same type of attacker and 100% the same attackers.

The questions I have from that attack remain.... I have no idea why they are exfiltrating secrets to Public GitHub repos and not a private C2 servers (other than to cause chaos)

The malicious versions have since been removed by Crowdstrikes account. Here is a total list of the packages compromised and their versions


u/ahmedhfarag/ngx-perfect-scrollbar
u/ahmedhfarag/ngx-virtual-scroller
u/art-ws/common
u/art-ws/config-eslint
u/art-ws/config-ts
u/art-ws/db-context
u/art-ws/di
u/art-ws/di-node
u/art-ws/eslint
u/art-ws/fastify-http-server
u/art-ws/http-server
u/art-ws/openapi
u/art-ws/package-base
u/art-ws/prettier
u/art-ws/slf
u/art-ws/ssl-info
u/art-ws/web-app
u/crowdstrike/commitlint
u/crowdstrike/falcon-shoelace
u/crowdstrike/foundry-js
u/crowdstrike/glide-core
u/crowdstrike/logscale-dashboard
u/crowdstrike/logscale-file-editor
u/crowdstrike/logscale-parser-edit
u/crowdstrike/logscale-search
u/crowdstrike/tailwind-toucan-base
u/ctrl/deluge
u/ctrl/golang-template
u/ctrl/magnet-link
u/ctrl/ngx-codemirror
u/ctrl/ngx-csv
u/ctrl/ngx-emoji-mart
u/ctrl/ngx-rightclick
u/ctrl/qbittorrent
u/ctrl/react-adsense
u/ctrl/shared-torrent
u/ctrl/tinycolor
u/ctrl/torrent-file
u/ctrl/transmission
u/ctrl/ts-base32
u/hestjs/core
u/hestjs/cqrs
u/hestjs/demo
u/hestjs/eslint-config
u/hestjs/logger
u/hestjs/scalar
u/hestjs/validation
u/nativescript-community/arraybuffers
u/nativescript-community/gesturehandler
u/nativescript-community/perms
u/nativescript-community/sqlite
u/nativescript-community/text
u/nativescript-community/typeorm
u/nativescript-community/ui-collectionview
u/nativescript-community/ui-document-picker
u/nativescript-community/ui-drawer
u/nativescript-community/ui-image
u/nativescript-community/ui-label
u/nativescript-community/ui-material-bottom-navigation
u/nativescript-community/ui-material-bottomsheet
u/nativescript-community/ui-material-core
u/nativescript-community/ui-material-core-tabs
u/nativescript-community/ui-material-ripple
u/nativescript-community/ui-material-tabs
u/nativescript-community/ui-pager
u/nativescript-community/ui-pulltorefresh
u/nexe/config-manager
u/nexe/eslint-config
u/nexe/logger
u/nstudio/angular
u/nstudio/focus
u/nstudio/nativescript-checkbox
u/nstudio/nativescript-loading-indicator
u/nstudio/ui-collectionview
u/nstudio/web
u/nstudio/web-angular
u/nstudio/xplat
u/nstudio/xplat-utils
u/operato/board
u/operato/data-grist
u/operato/graphql
u/operato/headroom
u/operato/help
u/operato/i18n
u/operato/input
u/operato/layout
u/operato/popup
u/operato/pull-to-refresh
u/operato/shell
u/operato/styles
u/operato/utils
u/teselagen/bounce-loader
u/teselagen/liquibase-tools
u/teselagen/range-utils
u/teselagen/react-list
u/teselagen/react-table
u/thangved/callback-window
u/things-factory/attachment-base
u/things-factory/auth-base
u/things-factory/email-base
u/things-factory/env
u/things-factory/integration-base
u/things-factory/integration-marketplace
u/things-factory/shell
u/tnf-dev/api
u/tnf-dev/core
u/tnf-dev/js
u/tnf-dev/mui
u/tnf-dev/react
u/ui-ux-gang/devextreme-angular-rpk
u/yoobic/design-system
u/yoobic/jpeg-camera-es6
u/yoobic/yobi
airchief
airpilot
angulartics2
browser-webdriver-downloader
capacitor-notificationhandler
capacitor-plugin-healthapp
capacitor-plugin-ihealth
capacitor-plugin-vonage
capacitorandroidpermissions
config-cordova
cordova-plugin-voxeet2
cordova-voxeet
create-hest-app
db-evo
devextreme-angular-rpk
ember-browser-services
ember-headless-form
ember-headless-form-yup
ember-headless-table
ember-url-hash-polyfill
ember-velcro
encounter-playground
eslint-config-crowdstrike
eslint-config-crowdstrike-node
eslint-config-teselagen
globalize-rpk
graphql-sequelize-teselagen
html-to-base64-image
json-rules-engine-simplified
jumpgate
koa2-swagger-ui
mcfly-semantic-release
mcp-knowledge-base
mcp-knowledge-graph
mobioffice-cli
monorepo-next
mstate-angular
mstate-cli
mstate-dev-react
mstate-react
ng2-file-upload
ngx-bootstrap
ngx-color
ngx-toastr
ngx-trend
ngx-ws
oradm-to-gql
oradm-to-sqlz
ove-auto-annotate
pm2-gelf-json
printjs-rpk
react-complaint-image
react-jsonschema-form-conditionals
remark-preset-lint-crowdstrike
rxnt-authentication
rxnt-healthchecks-nestjs
rxnt-kue
swc-plugin-component-annotate
tbssnch
teselagen-interval-tree
tg-client-query-builder
tg-redbird
tg-seq-gen
thangved-react-grid
ts-gaussian
ts-imports
tvi-cli
ve-bamreader
ve-editor
verror-extra
voip-callkit
wdio-web-reporter
yargs-help-output
yoo-styles

[-]

TadpoleNo1549@reddit

this is honestly terrifying, especially the self-propagation part, the fact that it’s pushing secrets to public repos almost feels intentional for chaos or signaling, not just stealth, situations like this really show how fragile the npm ecosystem can be at scale, feels like stricter isolation and controlled workflows something like runable style boundaries are becoming less optional and more necessary

[-]

fratkabula@reddit

will using tools like Socket or Snyk for automated security scanning help?

[-]

Advocatemack@reddit (OP)

Socket yes Snyk no
Keep in mind I work for a direct competitor of Socket (Aikido Security)

The tool from socket that would keep you safe is Socket Safe NPM https://socket.dev/blog/introducing-safe-npm
Aikido has it's own tool called safe chain https://www.aikido.dev/blog/introducing-safe-chain

Both tools work in the same way, once a package has been detected to have malware, if you run npm install it will block the install process if the tool has malware.

Why does this work and not Snyk. Snyk relies on CVEs, this is essentially when a package is reported and confirmed to have a vulnerability or malware. This process literally takes weeks. By which time it's too late. Safe NPM or Safe Chain work of Sockets and Aikido's own malware databases which are updated in almost real time, for us its roughly 10mins before we detect and report a package (I don't know for Socket exactly but I do know it is solid and updated quickly so lets assume the same)

These are the tools that will protect from this kind of breach.
As per which one is better, I can't provide an unbiased view so you'll need to investigate yourself.
But Socket > Snyk any day

[-]

lirantal@reddit

Hi, my name is Liran Tal and I work at Snyk. Mack is awesome so first off thank you for doing a good job keeping security awareness high for everyone.

To the points about Snyk and mitigating this attack in the future. I work for Snyk, so as Mack said, biased but I'd like to correct above claims and provide an accurate observation:
- CVE assignment doesn't always take weeks. For reference, I reported a vulnerability to a maintainer via GitHub, they requested a CVE and GitHub assigned it within a day, it propagated to MITRE on the next day.
- Snyk isn't bound by CVEs, we actually uncover a large amount of vulnerabilities that don't have a CVE and as assign them a Snyk ID (Snyk tracks anywhere between 10-30% more no-CVE vulnerabilities, depends who you compare Snyk to)
- Snyk employs a security analysts team (probably like Aikido and others) and they review every CVE in case they are false positive (saves open source maintainers a lot of headache) and also tracks signals around malware
- With Shai-Hulud and with prior incidents they've been added to the Snyk database as soon as the malicious packages/versions were published. Snyk has an open database here that you can browse https://security.snyk.io/vuln/npm (just note that there's caching and limits there unlike when you actually use the Snyk tool to scan)

RE proactive measures -

The CLI that Mack was mentioning about Socket and Aikido is, dare I say, largely inspired by my own npq open source CLI project which superseded them by years (https://github.com/lirantal/npq/) and have been integrated with Snyk to detect vulnerabilities as well as malware signals (postinstall scripts, no provenance, etc).

[-]

Key-Boat-7519@reddit

Tools help, but the real win here is layering preinstall guards with CI hardening and provenance checks.

Fair point on Snyk: they’re not CVE-bound and do push malware signals fast. What’s worked well for us: pin versions and require PRs for any dep bump; add a preinstall gate in CI (npq, Socket Safe NPM, or Aikido Safe Chain); run npm ci --ignore-scripts and maintain a tiny allowlist; enforce 2FA and scoped npm tokens; rotate tokens; use GitHub OIDC to cloud instead of long-lived creds; set GITHUB_TOKEN to read-only by default; restrict Actions to approved workflows; and route installs through a registry proxy (Artifactory/Verdaccio) that can quarantine new releases.

On the app side, we’ve used Kong and AWS API Gateway, and DreamFactory to front databases with RBAC/OAuth so builds don’t carry raw DB creds.

Bottom line: use multiple layers-preinstall scanning, strict CI secrets, and cautious update workflows-rather than betting on one scanner.

[-]

lirantal@reddit

By the way, I've now published https://github.com/lirantal/npm-security-best-practices - would appreciate any feedback, ideas to add, anything that can be improved :)

[-]

lirantal@reddit

Agree! defense in depth. I'd add some more like working in devcontainers, relying on secrets management or vaults like 1password or infisical for local and remote dev workflows.

[-]

RyanSpunk@reddit

It should be NPM themselves that do this malware scanning. What a joke.

[-]

YouDoHaveValue@reddit

> manual approval

$$$ says no

[-]

RyanSpunk@reddit

Done by another authorised approver for the project, or for a solo Dev after rechecking 2FA and a thorough malware scan and a delay to monitor for a compromised account

[-]

morricone42@reddit

You said this independent developer was the first notice though. What about your automated systems? Do they scan all npm uploads and triggered for this?

[-]

Advocatemack@reddit (OP)

Yes we did scan and detect them all. But with complicated malware like this our system needs a human to review. Sometimes its clear cut and we can just flag it immediately, and sometimes we need a review. In this case we needed a review which is why there was a delay

[-]

UnidentifiedBlobject@reddit

Not sure if it’s a stupid question but do these work with pnpm

[-]

ScottContini@reddit

So Aikido and Socket are solving the right problem at the right time. Must be getting good $$$ given all the recent events.

[-]

_clarkio@reddit

Yes those types of tools will help significantly to alert you if it finds the affected packages in your dependency tree. Admittedly I'm biased towards Snyk but my recommendation is to at least use something to help you be more aware of the impact to you and your projects when this type of thing happens. Many of them offer pretty generous free tiers too.

[-]

Namarot@reddit

Not before the issue is discovered and a CVE is published or their own vulnerability database is updated though.

[-]

lirantal@reddit

u/Namarot true that issue needs to be discovered first (and this is most times how mostly everyone else are finding it, from a community user submitted report to a GitHub issue)

however, Snyk doesn't require a CVE, in-fact there are likely hundreds if not more of vulnerabilities on the Snyk vulnerability database that have no CVE assign. We assign them a Snyk ID and you'd be getting scan results for shai-hulud malicious packages likely as soon as these packages are known to be malware.

On another note - not sure if you are doing anything proactive but I'd be happy to learn any feedback from you trying out npq https://github.com/lirantal/npq/ which is a preventative measure that runs before an "npm install" and surfaces malware signals and other package health information to you (typosquatting, unmaintained npm package, etc)

[-]

Namarot@reddit

I'm aware that Snyk, Mend, etc. have their own vulnerability databases that tend to act faster than the CVE process; that's why I mentioned it.

Besides SCA, a runtime security tool a la Trivy that could potentially detect and block irregular activity could be highly effective.

[-]

Icy_Raccoon_1124@reddit

I agree with u/Namarot here. SCA/SBOM tell you the package looked fine at publish, but the real action (secrets dumped to GitHub, workflows injected, npm token reuse) only shows up once the code executes. That’s why more teams are layering in runtime telemetry: process ancestry, DNS/HTTP egress, unexpected workflow spawns. It’s the only place you actually see the worm detonate.

[-]

_clarkio@reddit

Correct

[-]

chuch1234@reddit

Okay but more importantly: is it pronounced snick or sneak?

[-]

_clarkio@reddit

sneak :)

[-]

shoter0@reddit

If you install the package it is too late. If those things scan packages before installing then it will help, otherwise it might not.

After installation (not during compilation/running!) of the package this script is going to run.

[-]

lirantal@reddit

Indeed too late, have you looked into using npq as a proactive measure to prevent postinstall and surface signals to you as a developer so you don't auto-install malware?

npq: https://github.com/lirantal/npq/

[-]

light-triad@reddit

These tools are meant to integrate with your CI pipeline. You build your Docker image (installing all of the packages), but Snyk scans the Docker image before you deploy it anywhere.

[-]

shoter0@reddit

So that means that malicious scripts needs to run at least on developer machine as you need to use npm install to update/install dependency.

[-]

eracodes@reddit

ty for replicating the table in reddit. that website runs like it's trying to fry eggs inside of my computer.

[-]

DiligentRooster8103@reddit

Website performance impacts accessibility. Heavy sites exclude users with older devices or limited bandwidth

[-]

Advocatemack@reddit (OP)

Thats just the Crypto we are mining, don't worry about it

[-]

RestInProcess@reddit

I’ve always wanted my computer to be useful, and now you’ve made it exactly that.

[-]

QuantumQuack0@reddit

Meanwhile, our IT department:

"We will install crowdstrike on all company-managed devices and you're only allowed to use company-managed devices! What do you mean security incident? They have all the certifications!" (no joke that is literally their argument)

[-]

Piisthree@reddit

Yeah, our IT department is also a c.y.a. department. Things might not be safe, but as long as everything is certified, they feel warm and fuzzy.

[-]

redneck-it-guy@reddit

Sometimes you have to check the box in order to get a cyber security insurance policy or win business from customers who require some kind of survey or assessment. Even if it is dumb.

Not saying endpoint protection software is dumb but all software has risks. People who think there issues are unique to one vendor are kidding themselves.

[-]

cake-day-on-feb-29@reddit

Nothing has harmed the IT industry more than certification bullshittery brought by CompTIA, Microsoft, Oracle, and others.

[-]

tevert@reddit

Certifications are just a way for corporations to triple-dip on their customers while only actually selecting for people whose skillset is "good at test-taking".

[-]

fuhgettaboutitt@reddit

A lot of advertising in our industry is not directed at those of us who get shit done or have core competencies; a lot of advertising is directly and exclusively targeting our least capable: the execs. These certs are exactly that: "hey if you hire someone with these skills you will have less risk using our tech" isnt as insidious sounding as "we have a twenty hour advertisement for all of your employees so they know exactly which products cost which amounts and connect 'seamlessly' in our ecosystem."

I hold no certs, am interested in zero jobs that require them.

[-]

Proper-Ape@reddit

I'm always surprised by how many people think they have any real value or meaning.

The people or the certs? It's both isn't it.

[-]

xmBQWugdxjaA@reddit

And the insurance companies, and government with security regulations.

It's lawyers and bureaucrats all the way down.

[-]

syd-slice@reddit

You think they are using bunch of npm packages to run on your system?

[-]

Vector-Zero@reddit

Thet do it with our text editors nowadays. I wouldn't put it past them.

[-]

xADDBx@reddit

Isn’t that for (among other things) liability?

[-]

Bring_the_Truth@reddit

I'm not trying to sound paranoid but isn't it strange that a high percentage of companies hacked have a Crowsdstrike affiliation? Crowdstrike has lost money every year except 2024 when they accidently exposed their ability to do more damage than a hacker. They lied to help democrats weaponize Russia Hacking against Trump. (As exposed in recent sen Grassley unclassifed investigation pages released). They report covering 300 of the fortune 500 companies and yet Data breaches are up rising. Plus its reported that 80% of fortune 500 companies failed at Cybersecurity testing. Do the math and that means crowdstrike failed. Now they mysteriously know exactly which major companies accidently hire North Korean remote I.T. staff. Hmmmm........Would be profitable to have a staff of North Koreans working behind the scenes trying to get jobs at major companies so that they can report it for a bonus and Crowdstrike can swoop in and save the day and pickup a new customer. Hmmm. They say they know because of AI. Their A.I. must be psychic to know who non-customers are hiring.

[-]

shroddy@reddit

The same Crowdstrike that caused the huge outage last year?

[-]

cyanight7@reddit

And DESPITE THAT their stock is still up almost 30% ytd. Absolute insanity

[-]

Celestium@reddit

Buying CRWD on BSOD day was legit the freest money I have ever made on the stock market - doubled my money on shares lol.

[-]

wetrorave@reddit

Is attention = investment a real dynamic? Serious question.

[-]

Celestium@reddit

Is the attention negative and does the company make money?

More specifically does the company profit in a way you understand and would you pay real money for their services were you in a position to, regardless of the current negative attention?

If yes, buy.

Not your entire portfolio, just some fun money in an amount you decide lol.

[-]

Bring_the_Truth@reddit

Blackrock and the other big investment firms own the stock so they keep the price high for their portfolio. But, if you look at insider trading you will find that the executives are selling it off like the last one holding it loses.

[-]

rindthirty@reddit

It can be unless it's not. The challenge is to trade consistently well enough that it can replace a full-time job and not risk your holdings too much. If it were that easy, everybody would be doing it and everybody would be beating the market. The reality is that everyone, on average, is average.

Read https://www.reddit.com/r/personalfinance/comments/7ysena/warren_buffet_just_won_his_tenyear_bet_about/ as well as Benjamin Graham's The Intelligent Investor.

[-]

Chii@reddit

their stock is still up almost 30% ytd

the fact is, their software is on end users' machines without said end users' say so, and their sales are to the CTO level executives that don't have the end user's concern in mind (it's all audit/checkbox security).

And empirically, these companies have not moved off crowdstrike after their fiasco. Therefore, the stock market correctly predicts that this software is very sticky in the enterprise, and thus revenue is just as sticky.

[-]

kentrak@reddit

It makes perfect sense. When you shit the bed that bad and don't lose any customers, the market realizes you've gotten them far more locked in then they thought, and your position is a lot stronger than they thought, and responds by throwing even more money at you because obviously you're holding the families of your customers hostage or something.

On the other hand, if you fuck up and lose half your revenue, your stock will crater more than half because not only did you lose half your revenue, you've also shown you have nothing beyond momentum keeping people with you and also that you may have quality problems.

[-]

anengineerandacat@reddit

Mostly because it's still better than competitors in terms of usability.

That outage involved two events.

Crowdstrike pushing out a shit update
Businesses not testing the update in a lower environment and instead #yolo'ing it into production.

Don't want to victim blame, but like... don't just throw untested code into production?

[-]

tevert@reddit

You see, it's e n t e r p r i s e software

[-]

ziroux@reddit

To boldly bill where no budget has gone before.

[-]

meltbox@reddit

Yeah, but I don’t get it. I mean it’s not even web scale.

[-]

cyanight7@reddit

Subscribe now. For only one billion dollars per month we will upload all of your data to an unencrypted google drive

[-]

hennell@reddit

Makes sense in a twisted way. They showed how big their business is, and that they're pretty invaluable. If customers didn't leave then, they're never going to leave.

A business with an enormous number of trapped customers is probably a good investment.

[-]

philh@reddit

Prior to this, why wouldn't it be up YTD? Their stock crashed last July when they caused that outage. They haven't caused any massive outages this year, so why wouldn't their stock be up this year?

The surprising thing to me is that their stock is up 15% since pre-crash (~390 to ~445).

[-]

TommaClock@reddit

They have friends in the current US administration. And the US is implementing a certain system if government where all business must be approved by the state.

[-]

sumredditaccount@reddit

A lot of garbage is up. Just end of cycle shit.

[-]

wrosecrans@reddit

I am kind of amazed people were so surprised by that outage.

I was at a company that adopted it, and 100% of the engineers were skeptical of running third party code in-kernel. Even the coworkers I didn't respect found the failure modes there fairly obvious, and we suggested things like running Falcon on a % of servers to act as canaries so if the canaries detected an attack we would assume the attack was hitting 100% of servers.

Over the last decade, Crowd Strike has absolutely prevented X number of major attacks that would have led to serious outages. And X is greater than 1. To do that, it centralized risk in one piece of software in-kernel that was going to have a bug sooner or later because all software has bugs sooner or later. It just became very visible because a bunch of enterprises had 1 outage on 1 day, rather than 50 individually smaller outages spread across 25 days.

The blind faith some executives and journalists had in the marketing copy for Crowdstrike was genuinely insane. Like, those executives shouldn't be allowed to have a Chromebook for email, let alone be a CTO.

[-]

shroddy@reddit

It is a bet that you are forced to make, and which you can only loose.

[-]

happyscrappy@reddit

They seem to be only mentioned for clicks. There are 187 packages compromised, only 20 from Crowdstrike. Seems an odd call out.

[-]

Stronghold257@reddit

I don’t think it’s an odd callout when a large company has their packages compromised

[-]

meltbox@reddit

Especially when they’re supposed to be experts on threat and intrusion detection. Pretty embarrasing.

[-]

Hacnar@reddit

Every big enterprise has faced some kind of intrusion, it's unavoidable. The response, or the rate of such incidents can be be embarrassing, but the incident itself isn't.

[-]

Deranged40@reddit

You really don't understand what Crowdstrike does, do you?

[-]

Hacnar@reddit

I probably do understand it a lot better than most here. I've worked on security software for several years, and know people who worked on different security software too. I've seen startups, I've seen huge corproations.

If you say it is embarrassing, then you probably haven't spend enough years working in any huge company. Mistakes are unavoidable. Sometimes multiple issues pop up at the same time, with no time to fix all of them in a satisfactory time frame. Sometimes external issue forces you to scramble a response that is hopefully good enough until a proper solution is found. There arte many scenarios how things can break down even if you follow all the best practices.

It's hard to find a big security software vendor that hasn't been a victim of a successful attack. Some incidents were more public than others. Some were more serious than others. Expecting to successfully defend against everything that comes your way is naive. Otherwise there wouldn't be so many processes and guides to quickly react and minimize the impact of these attcks already in place everywhere.

[-]

Deranged40@reddit

It's one of the two. Either you don't understand what Crowdstrike does or you don't understand what Embarrassing means.

[-]

Hacnar@reddit

It's neither. You are informing me of your simplistic views on the matter.

[-]

cinyar@reddit

How is a company that sells protection from malware getting infected with malware not embarrassing?

[-]

cinyar@reddit

Crowdstrike is a cybersecurity company, they are literally selling protection from malware.

[-]

rindthirty@reddit

10%

[-]

Deranged40@reddit

ONE package would be too many, and enough to warrant a callout.

THIS IS TWENTY!

[-]

Saki-Sun@reddit

It's their job to stop this shit (and make my computer slow as arse), not propagate it.

[-]

mnp@reddit

Documentary here

https://clownstrike.lol/

[-]

frankster@reddit

That Crowdstrike that boasts on their website about how they prevent npm supply chain attacks. https://www.crowdstrike.com/en-us/blog/crowdstrike-falcon-prevents-npm-package-supply-chain-attacks/

[-]

retro_grave@reddit

It's in the name. They won't stop until they strike everyone.

[-]

cake-day-on-feb-29@reddit

Heh, just like Microsoft.

[-]

KevinCarbonara@reddit

Reminder that Microsoft had previously pointed out that Crowdstrike was, itself, a security flaw

[-]

vplatt@reddit

You mean they make you 'micro' and 'soft'? 😅

[-]

Saki-Sun@reddit

CrowdStrike 2

[-]

cauchy37@reddit

The one and only.

[-]

Zomgnerfenigma@reddit

npm users should seriously go in lock down. freeze everything and verify everything by hand. cut the ties to npm and move on. it's SO over.

[-]

ArdiMaster@reddit

I’m pretty sure you’d have fundamentally the same issue with PyPI, Rust crates, Go, NuGet (.NET), or generally any platform that lets developers publish packages without (in-depth) human review.

[-]

Alikont@reddit

The problem of NPM is that a lot of dependencies are using "wildcard" versions like "^1.2.3.4", meaning that any version bump is automatic malware deployment.

NuGet packages in general pin their dependency versions, so updates are rarer and more visible.

[-]

GergelyKiss@reddit

...and yet, it's always NPM. It's the low barrier to entry, the churn, the impatience, the "my framework is better than the dozens before me", the nice-to-haves, the crappy POCs that become widely-used libraries due to hubris and hype... I think it's a culture issue more than anything.

[-]

Significant_Treat_87@reddit

Totally, imo. I was so shocked when I first started working as a frontend dev. People installing super advanced packages and libraries for even the simplest stuff that I felt they should have just spun up a quick custom implementation for. Why are we obsessed with all this third party code??

In my experience it doesn’t even wind up saving much time if any, because you exert so much effort learning the nuances of all these bloated dependencies and keeping them maintained, etc. The number of build warnings for completely deprecated and even dangerous packages is absurd at the average software company from what I’ve seen and heard. Nobody has time to maintain it.

[-]

SimonTheRockJohnson_@reddit

> . The number of build warnings for completely deprecated and even dangerous packages is absurd at the average software company from what I’ve seen and heard. Nobody has time to maintain and truly understand it.

Switching our dependency tracking that contains auditing and upgrade EOL warnings to internal NIH code is not going to fix this problem. It's actually going to make it worse, the root cause is the company is not prioritizing maintenance of its tech debt. Moving to internal libraries is a recipe for disaster in these cases because internal libraries will begin to sprawl and be just as unmaintained as the dependency tree is which is a worse and more expensive long term code outcome.

[-]

Significant_Treat_87@reddit

You’re arguing against something I wasn’t actually meaning. I’m talking about instances where someone needs like a modified scrollbar and instead of just writing it they install “awesome-scrollbars” with 19 other totally unnecessary functions.

Idk, your whole argument gets totally destroyed by all these epic exploits that keep getting revealed lol. Enjoy having ur sh*t pwned, n00b

[-]

SimonTheRockJohnson_@reddit

> You’re arguing against something I wasn’t actually meaning. I’m talking about instances where someone needs like a modified scrollbar and instead of just writing it they install “awesome-scrollbars” with 19 other totally unnecessary functions and then it gets forgotten about. Not even beginning to mention the endless dependency tree of “awesome-scrollbars”, you’re advocating for a literal ouroboros situation — doesnt make any sense.

In commercial software development this is a problem with access controls and library vetting. On any project I've worked on we have a fairly limited set of people who can actually add package dependencies with minimal oversight, and even those people follow the general process for proposing such things.

> your whole argument gets totally destroyed by all these epic exploits that keep getting revealed lol. Enjoy having ur sh*t pwned, n00b

Oh I get it you're like 14 and don't actually do this as a job.

[-]

Significant_Treat_87@reddit

Been in the industry 7 years 💪 (sorry, just being playful).

It does sound like your company is a lot smarter than mine. We have a culture where literally anyone can and does add packages left and right. I think this is pretty common in the industry. So I apologize that I’m complaining about something you just haven’t encountered.

Also for the record my company isn’t some no name tiny shop — we had 9bil in revenue last year.

[-]

SimonTheRockJohnson_@reddit

Engineering standards are not something that Management will ever give you or ever care about. It's up to Engineers to be professionals and fight for those standards. That's unfortunately "the job" esp. at higher levels.

It doesn't matter how much money you company makes, it doesn't matter what sector they're in, it doesn't matter if they're "not a software company".

There are plenty of teams at my company and every company I've worked at who at one point were or are code monkeys. This can only change by advocating for your own structure and explaining the benefits to the company (e.g. fighting management). This is not easy, it drives you insane, and ultimately it's why the state of the industry is the way that it is.

[-]

Significant_Treat_87@reddit

We do have some vetting but yes I agree with everything you’re saying. And lately they definitely do view us as code monkeys (it’s really sad, used to be a great company to work at despite how messy the legacy code was)

[-]

Zomgnerfenigma@reddit

If you have to maintain your own deps, then you will never end up with so many deps. All micro packages go to stuff.js, boom 80% less deps.

Your premise is that the structuring of js projects is ideal. THAT is false.

[-]

SimonTheRockJohnson_@reddit

It doesn't matter even if you have 10x less deps, you have more code to maintain overall.

> Your premise is that the structuring of js projects is ideal. THAT is false.

This has nothing to do with JS or not JS.

[-]

Zomgnerfenigma@reddit

Dude you just disagree with everything and make things up. Thinking for a minute would help.

[-]

quentech@reddit

It's the

giant chains of dependencies.

When every damn library has three dozen dependencies and each of those has their own three dozen dependencies, then taking over some random repo potentially gives you a lot of reach up and across the chain.

[-]

kyoumei@reddit

Reminds me of the left lad incident

[-]

wutcnbrowndo4u@reddit

Man I had an argument with someone on this sub a week or two during which they defended use of left-pad with "NPM is the JS ecosystem's equivalent of a stdlib and thus it's the right choice to introduce a breaking dependency to avoid 5 lines of code".

The culture of the Javascript ecosystem is incredibly insane

[-]

SimonTheRockJohnson_@reddit

Yeah it's because NPM is popular.

This was literally the argument against Ruby / Ruby Gems like 15 years ago.

[-]

poop_magoo@reddit

It's a free for all. The priority is always to lower friction, make it just work. This is the philosophy at every level of the ecosystem. Just look at how package version resolution is handled. You can have a dozen different major versions of the same package in a single application, and it will happily compile and ship that without batting an eye. This mindset is persistent throughout the entire ecosystem. The question of "can we", almost always trumps "should we".

[-]

wutcnbrowndo4u@reddit

I am blessed to not have spent tons of time interacting with the JS ecosystem, but the Python ecosystem doesn't come anywhere close to. Often when I read about one of these attacks, some insane decision made by NPM maintainers is involved.

[-]

LuckyHedgehog@reddit

Other languages have robust standard libraries to build on, and then selectively pull dependencies on top of that. Javascript does not, so to get basic functionality you pull in a ton of npm packages. Those packages are probably also built on a stack of packages.

The language itself encourages pulling in tons of dependencies which drastically increases attack surface

[-]

Zomgnerfenigma@reddit

And I am pretty sure they don't have myriads of low skilled devs that publish and use trivial packages.

[-]

Horror_Dot4213@reddit

Until the newbies flock to the next packManager after cutting ties with npm

[-]

Somepotato@reddit

None of these vulnerabilities are exclusive to npm. It just has a larger attack surface. It would be easy to do this same attack with, say, Maven.

[-]

eras@reddit

As I understand it, using the same attack for Maven, the attacker would need to change the signing key for the package which I think requires changing the signing name as well, making the attack much more visible.

But Rust Cargo on the other hand..

[-]

cool_and_nice_dev@reddit

What’s special about Rust Cargo?

[-]

eras@reddit

The packages are not signed.

[-]

wutcnbrowndo4u@reddit

I wouldn't call it special per se, though

I can't quite parse this, what do you mean by "wouldn't call it special per se" here? Are you saying that Cargo on its own isn't unique, but some facet of how it's maintained makes it so?

[-]

eras@reddit

I was saying that the lack of package signing doesn't make it unique or special.

[-]

wutcnbrowndo4u@reddit

Gotcha, I think I was confused by the use of "per se", which means "taken on its own", when you were just using it as a filler word

Promise I'm not being a pedant! Was legitimately confused if you were making a specific point about narrow vs broad consideration of package signing

[-]

Somepotato@reddit

Well, the thing is this malware sniffs for everything it can including credentials which would also include CI key, from the developer machine.

[-]

eras@reddit

If some other malware can get from the developer, then yes. But it seems the Maven ecosystem itself is quite a bit more difficult to penetrate compared to ecosystems without it, as tricking the developer to provide their 2fa credentials to the attacker won't be enough.

[-]

shagieIsMe@reddit

Maven downloads a .jar file. Sure, there can be malware inside the jar, but that's the entirety of it (and running it would be Very Bad). It doesn't install programs into the command path of the user, nor does it run additional build scripts to compile the code or other libraries.

Next there's the culture of Java developers - we tend to pin a version. It's not an open ended range for what we download or a "give me the latest 3.5 build for Spring Boot" rather its "3.5.5" and that's it. When 3.5.6 comes out, give it a month before it updated in the various builds.

mvn package will download jar files and transitive dependencies and build a jar file. Nothing more. No install scripts.

While not impossible, it would take a much more concerted effort to push a new version of a package, that would take a while to get updated, and would likely get detected before anything happened, and even if it did get in there and updated and downloaded and packaged... its in a jar file that's likely in a docker container that should be suitably limited to what it can access (not the publish credentials for other packages).

The culture of java developers and the limited capabilities the package manager has makes it a harder target to exploit as part of the package manager install process.

[-]

equeim@reddit

Maven downloads a .jar file. Sure, there can be malware inside the jar, but that's the entirety of it (and running it would be Very Bad). It doesn't install programs into the command path of the user, nor does it run additional build scripts to compile the code or other libraries.

Maven and Gradle plugins can be compromised in that way though, as well as annotation processors.

Next there's the culture of Java developers - we tend to pin a version. It's not an open ended range for what we download or a "give me the latest 3.5 build for Spring Boot" rather its "3.5.5" and that's it. When 3.5.6 comes out, give it a month before it updated in the various builds.

That only controls direct dependencies. For proper control of entire dependency tree you need lockfiles. I don't know about Maven, but Gradle does not use lockfile out of the box and setting it up is pain in the ass so nobody uses. Which means that every time dependencies are downloaded there is no guarantee that the same artifacts will be used (even if all the versions are the same).

[-]

Zomgnerfenigma@reddit

Not too much into the diversity of package managers. But why is it even possible to publish anything without human control?

[-]

oceantume_@reddit

Send your new version's full hash by pidgin and we'll publish it within 2 to 5 business days if it matches.

[-]

Weird1Intrepid@reddit

pigeon*

[-]

Janymx@reddit

Huh? I never heard of it as a derogatory term. Just a linguistics term.

[-]

Ieris19@reddit

Pidgin is not derogatory whatsoever, and is distinct but similar to Creoles and other related concepts

[-]

CarnivorousSociety@reddit

I was thinking he meant the chat software pidgin lol

[-]

vplatt@reddit

Same

https://pidgin.im/

[-]

ArtOfWarfare@reddit

Yes, what part of that was confusing? If the letter that comes with the hash isn’t written in Creole, it won’t be accepted. AIs only know English so this weeds them out.

[-]

Weird1Intrepid@reddit

sari, mi no try fi mek no enemies

[-]

Somepotato@reddit

Anything a user can do a computer can do too.

[-]

CarnivorousSociety@reddit

Except for finding the pictures of busses, apparently

[-]

FineWolf@reddit

Yes, and no.

First, npm has also package provenance verifications using a different mechanism: https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/

Second, this particular attack was made possible by compromising the CI process of known packages to commit malicious code within the package's source repository. Given that most packages on Maven are also built and uploaded with CI/CD, the attacker wouldn't need to change the signing key, the CI pipeline normally has access to those.

[-]

TomKavees@reddit

I admit i haven't published anything on maven central in a while, but the last time around you could've pushed to snapshot and staging repos all you wanted, but the final publishing step required logging in to push da butan. Staging repo is (was?) Not really accessible for day-to-day operations and vast, vast majority of the ecosystem did not care for the snapshot repo.

That being said you could've automated most of it away, but at least there was some firebreak

[-]

2bdb2@reddit

It would be easy to do this same attack with, say, Maven.

Maven doesn't allow install scripts, and requires code signing.

Doesn't make it bulletproof, but does significantly shrink the attack surface and makes an attack harder.

[-]

piesou@reddit

Unlikely to happen in java land because there's a thing called standard library (although lacking in comparison to kotlin) and Spring. You rely on a few well known, well maintained packages. it's the same across many languages except for rust who thought they must emulate npm

[-]

meltbox@reddit

You’re right, most of these are anchored in the absolutely brain dead idiotic strategy of using public code that someone outside your org has authoring rights for in internal code.

I mean it’s only a violation of the most basic security principles, but let’s keep pretending it’s not.

[-]

Somepotato@reddit

You mean...like Linux?

[-]

Genesis2001@reddit

None of these vulnerabilities are exclusive to npm.

You're right, let's just nuke JavaScript and its ecosystem from orbit instead. :)

[-]

TomKavees@reddit

A decent standard library would be a good start

[-]

lechatsportif@reddit

100% not true. You can google for yourself, but here's a quick ai summary: Ecosystem Maturity and Governance Maven has been around since 2004 and has more established governance. Maven Central (the main repository) has stricter publishing requirements - you need to verify domain ownership, use proper group IDs that match your domain, and go through a more rigorous verification process. npm's barrier to entry is much lower.

Not to mention people depend on stable mature products (enterprise if you will) like commons like, unlike the absolutely nutso free for all that is node.js.

It's about maturity.

[-]

Somepotato@reddit

Ehm, none of that verification matters when the very developer that publishes packages is compromised. That's literally only for new packages.

[-]

TomKavees@reddit

In this case correct, it does not, but to grandparent's point Central by its design weeds out a fair bit of other attacks like typosquatting

[-]

sparr@reddit

What you're missing is that npm is relatively unique in that the simplest (and most common?) way to add a package to a project defaults to adding it with no version restrictions. That's at the core of the problem. Other platforms that fetch packages don't have the same degree of problem because unversioned dependencies aren't the default or as widespread.

[-]

Somepotato@reddit

Lock files do, though. The default behavior of npm is to pull in a way that allows different minor versions, but the lock files will lock them to the version pulled at the time of retrieval.

[-]

McGlockenshire@reddit

Lock files do, though.

Well yes because that is not the attack we are describing here.

[-]

Somepotato@reddit

It generates the lockfile whenever you pull anything.

[-]

McGlockenshire@reddit

whenever you pull anything

Yes, that's the attack.

[-]

TheBanditoz@reddit

If that's the case, why does maven central never seem to get such attacks almost every month unlike npm?

[-]

Somepotato@reddit

It does get attacked. But like I said, NPM comparatively is a much larger attack surface.

A protection would be hardware passkeys which are unphishable and are nearly impossible to sniff without user consent.

[-]

EarLil@reddit

they wouldn't be able to compile java correctly lol

[-]

Zomgnerfenigma@reddit

I don't expect do continue the same stupidity with another product.

[-]

Any_Obligation_2696@reddit

Easier to blame the devs and keep it as it is.

JavaScript should never be used, not in web dev and not in anything anywhere.

Unfortunately it’s so baked in its unavoidable. Dumbest shit ever with many viable solutions but no willpower to do it. They made a wrapper called typescript to fix some of it but not really any of it.

[-]

ClownPFart@reddit

More javascript/npm stuff I presume? You could have been so kind as to specify since not everyone works in the abyss of stupidity that is web development.

Anyway since I dont, for me it's just tuesday, and I'll be over there laughing at the limitless idiocy of web developpers

[-]

MrMathieus@reddit

Is the entire point your comment to look like an ass? Because if so, you did a great job.

[-]

OldMoray@reddit

They have to cosplay as a programmer somehow

[-]

ClownPFart@reddit

Im not sure whether its me or programmers in general who were supposed to be owned by this comment

[-]

ClownPFart@reddit

Damn how will I ever live down to looking like an ass on reddit

[-]

Advocatemack@reddit (OP)

They say as they enjoy using Reddit... a web app built by... 'idiot web developers'

[-]

ClownPFart@reddit

I, in fact, do not enjoy it

[-]

cake-day-on-feb-29@reddit

Reddit... a web app

Imagine using the nu-reddit shitheap instead of the old reddit HTML

[-]

wutcnbrowndo4u@reddit

The old UI still qualifies as a web app, no?

Posted from old.reddit.com

[-]

stormdelta@reddit

I also come to reddit to see posts written by people, but here you are and you're entire OP is generated. Why I should I trust that anything you posted is accurate?

[-]

axonxorz@reddit

Bro where's the bandwagon, I need on to feel better about myself

[-]

2rad0@reddit

And people think I'm the weird one for insisting every package on my system be compiled without an internet connection. These build systems like cmake/meson/etc that facilitate the culture of automatic dependency downloads makes me extremely uncomfortable.

[-]

protocol_buff@reddit

The internet connection being the problem is one way of looking at it.

For me it's more like we don't have any guard rails around untrusted builds on our system. You could easily disconnect your internet and start a build only to have it delete your whole drive.

[-]

2rad0@reddit

Yeah, no one wants to be bothered to create a new user account for running build scripts, and compiling. You can add 50 different defensive layers at the software level, only to have them knocked down by hardware vulnerabilities in ROM, firmware, side-channels, "trusted" microcode update, or worse. Which brings us out into the weeds and now I can see why most will throw their hands up and settle for the least annoying good enough solution. Check out one of the uEFI reference implementations if you want a few sleepless nights. I tried to build tianocore once, and just gave up it's so annoying to compile. I doubt anyone is studying at this code seriously if it's such a hassle to compile.

[-]

josefx@reddit

I can't understand why people would even blindly pull in the latest version of a library to begin with. Every time someone pulled that shit in our build system things started to break at random.

[-]

Revolutionary_Ad7262@reddit

It is safe, if your tool check the hashes. It really does not matter, if dependency is fetched from trusted disk or untrusted internet, if hashes protects you

The problem is of course unsolved for versions bumps, but it is not a fault of the automatic dependency fetching except the fact, that automation makes this process easier

[-]

2rad0@reddit

Yeah that can definitely help if they are using the right download_file_with_hash(url, hash) function but what good is the hash string if the download URL is pointing to a malicious upstream? You have to check every build script in the dependency chain to be certain all of them are checking hashes or else bad code, or bad URL+hash can creep in. I don't know how meson and other build systems do it, so maybe I'm wrong and they only provide hash protected downloads. Just hope it's not through a central server that holds both the url and hash, because that becomes a big target for supply chain injection and you're only one corrupted DNS query away from danger.

if hashes protects you

A hash doesnt theoretically protect from a highly sophisticated attack, you would need something more like multiple hashes or hash and file size. For better protection they should be checking signatures too, but there doesn't seem to be a centralized certificate store for this to handle revocations and distributing new certs, so developers have to chase them down one by one if they want to be thoroughly protected.

In practice this is too much work and slows down the development process, so people who worry about these theoretical attacks are labelled weirdos or cranks, and the wheel keeps turning.

[-]

yksvaan@reddit

About time people start actually thinking what it means to download and execute arbitraty code from external sources.

How about starting to get rid of unnecessary dependencies now...

[-]

N1ghtCod3r@reddit

Is that an option in JS/TS world?

[-]

cancerBronzeV@reddit

Ya, but they'd have to learn to actually program.

[-]

_clarkio@reddit

Yes though maybe not the most convenient

[-]

Previous_Exchange494@reddit

When the hunter becomes the bait: even CrowdStrike can’t patch irony.

[-]

arekxv@reddit

Welp, I can say its official. Package manager golden era is over. Ruined by crypto.

It is a huge security risk, and now the worst is happening.

[-]

CyberAttacked@reddit

Here we go again…

[-]

jeremybarbet@reddit

Is there any desktop app, terminal CLI that can go over history of npm installs and check if any compromise versions were installed at some point?

These attacks are happening every other day and probably more that we are not aware of, I can’t keep up seriously…

[-]

MonkeyIsNullo@reddit

This _might_ be helpful: https://github.com/Cobenian/shai-hulud-detect

[-]

curious_s@reddit

Npm has an audit function that will highlight known, reported vulnerabilities.

Maven, nuget also have reported vulnerabilities against packages and which version was affected.

[-]

notnooneskrrt@reddit

I’m getting fuvking laid off due to tariffs, and picked up some typescript and other web related languages to broaden my hiring chance. Fuck this

[-]

wutcnbrowndo4u@reddit

Sorry to hear that and best of luck in your job search, but I highly doubt that demand for Typescript is going to be affected by this breach

[-]

notnooneskrrt@reddit

Thank you man, not sure why people downvoted. It’s uplifting to read your comment! It is to be expected since web is so fast developing

[-]

spangborn@reddit

The questions I have from that attack remain.... I have no idea why they are exfiltrating secrets to Public GitHub repos and not a private C2 servers (other than to cause chaos)

Probably because traffic to Github wouldn't likely be flagged as a problem, compared to a C2 server. It also makes it resilient against just having a C2 server taken down.

[-]

pbacterio@reddit

Not related: https://www.reddit.com/r/Layoffs/comments/1kgvj32/500_layoffs_at_crowdstrike/

[-]

EliSka93@reddit

creates a repo named Shai-Hulud

Ok that's a little bit funny.

[-]

syklemil@reddit

So does this mean devs with packages on NPM should learn to walk without rhythm?

[-]

giant_albatrocity@reddit

Such a great music video…

[-]

Brillegeit@reddit

And Walken apparently choreographed most of the movements himself, being a trained dancer from earlier in his career.

[-]

moderatorrater@reddit

Choreographed himself right into a role in Dune 2. Crafty SOB.

[-]

Antrikshy@reddit

I’m still sad we didn’t see him sandwalk.

[-]

anonveggy@reddit

All hail

[-]

myhf@reddit

May its passage cleanse the world.

[-]

myhf@reddit

May its passage cleanse the world.

[-]

stormdelta@reddit

If you can't assed to write something why do you expect us to bother reading it?

Just link the real posts next time and don't create unnecessary noise that makes you look like a spambot by using AI to generate your post like this.

[-]

inamestuff@reddit

Everyone here looking at the finger (package managers) instead of the moon.

We’re still basing our PC threat model on the idea that binaries and scripts shall be trusted blindly

Most of these attacks wouldn’t be possible if OSes didn’t grant global read/write access of any user folder to any program run by the user. Android and iOS completely isolate app storage for this reason.

But no, everyone here blaming npm, ignoring the fact that most ecosystems are broken from this point of view, just some more than others.

Also, all the Java devs mocking JavaScript seem to have forgotten the log4j debacle. No one is perfect here, let’s not fool ourselves

[-]

Upper-Character-6743@reddit

How did these guy's stock bounce back after causing the largest IT outage in history?

[-]

Pharisaeus@reddit

Implications aside, I have to respect the author for naming a worm "Shai-Hulud". At least they are well read.

[-]

josefx@reddit

Or they watched a movie in the last decade.

[-]

anonveggy@reddit

Or played like any MMORPG in the last 20 years

[-]

pillenpopper@reddit

Or they like metalcore bands.

[-]

realityChemist@reddit

Or they asked chatgpt for a list of famous worms

[-]

voyextech@reddit

Or they know of the infamous Russian state sponsored hacker group

[-]

Hal34329@reddit

Next attack: Jim.json

[-]

sparr@reddit

What MMORPGs made any reference to this? I can only think of one.

[-]

anonveggy@reddit

Well.. wow has like 15 gazillion references, Morrowind has some, destiny 2 has some. Hell even SpongeBob 😂

[-]

LemonKurry@reddit

Sponge Bob have an MMO?!

[-]

gnostiphage@reddit

Yes.

[-]

anonveggy@reddit

no haha - at least i dont think so - just another example that came to mind.

[-]

spider_84@reddit

Phew, dont use or even heard of most of them.

[-]

mjsarfatti@reddit

I’m pretty sure you have no idea what packages are imported by the packages you imported in your project…

[-]

Significant_Treat_87@reddit

my standup update: day 1045 of reading through package-lock.json to understand what the hell we are including via 18 levels of nesting…..

[-]

bwainfweeze@reddit

We wee closing in on 1900MB and I got it down to about 780k. Two copies of rxjs were the worst thing in there and we weren’t even using it front end.

[-]

Significant_Treat_87@reddit

dude what the HELL 2gb??????

[-]

bwainfweeze@reddit

No. Big SaaS app. We had about 200 of our own packages because I didn’t quite have enough standing when we moved to git to veto that stupid fucking idea.

Then I got stuck writing 75% of the logic to manage that logistical mess.

[-]

frankster@reddit

So first crowdstrike broke all the windows servers, then they spread a worm? The security snake oil is starting to look like the bigger problem...

[-]

Vega62a@reddit

Crowdstrike sensors do not run Javascript. This article listed nearly 200 packages, of which most were not crowdstrikes.

[-]

frankster@reddit

Crowdstrike are boasting on their website that they can prevent npm supply chain compromises at the same time as spreading malware through the npm supply chain after being compromised themselves :)

https://www.crowdstrike.com/en-us/blog/crowdstrike-falcon-prevents-npm-package-supply-chain-attacks/

[-]

Individual-Ad-6634@reddit

Who cares if sensors run or not. Company that publishes packages takes responsibility for the content.

[-]

Vega62a@reddit

The point being that the blast radius is way smaller. This isn't "oops we accidentally delta airlines," this is "rotate your keys and bump your imports"

[-]

BlueGoliath@reddit

Jia Tan won.

[-]

babige@reddit

Conspiracy Theory: these attacks are from LLM companies, to harvest juicy private repos for their next model

[-]

robby_arctor@reddit

Alex Jones level take - the attackers are LLMs themselves, they've gone rogue

[-]

shroddy@reddit

I would pity them if they try to train from my code.

[-]

FortuneIIIPick@reddit

I Googled how to detect vulnerabilities in npm and found a SO site where it's suggested to run the following, I wonder are these companies simply not doing something like this?

npm audit | grep -B 1 -A 10 High

[-]

max123246@reddit

Those are already discovered vulnerabilities

[-]

i509VCB@reddit

I know people won't like this, but manual code review of every package might be the only way to mitigate most of this., And a increase in minimum standard for uploaded packages. This will mean some packages will never reach npm. But i think it's an acceptable cost.

[-]

Hitman1sd@reddit

Anyone has a link to this actual js bundle?

[-]

cake-day-on-feb-29@reddit

Name a more iconic duo than NPM(aka microshit) and malware.

Name a more iconic duo than Crowdstrike (microshit leech) and causing problems.

Oh, I know, Microshit and "backwards compatibility". Need to support the old & decrepit "web bowsers" with no default JS library? Malware. Need to support windoze drivers? Worldwide shutdown.