@redhat-cloud-services publish pipeline is compromised today and shipped a signed, trusted, malicious npm package
Posted by BattleRemote3157@reddit | programming | View on Reddit | 47 comments
patch-client@4.0.4 went out through the project's own github action OIDC trusted publisher today and not any stolen token or a typosquat anything, the actual release pipeline produced it. this runs on npm install, steals cloud creds and self propagates by injecting fake CodeQL workflows into repository the stolen tokens can reach. 32 packages is currently sharing the same publisher so the window of exposure isn not only just a single package.
if you have anything from related to /redhat-cloud-services in your tree, 4.0.3 is the last clean version.
voteyesatonefive@reddit
NPM you say... totally unprecedented.
tgo1014@reddit
the classic: s from npm is for security
Zagerer@reddit
does that mean SPM (Swift Package Manager) is actually secure?
aaulia@reddit
There is no S in NPM... Oh...
Dragon_yum@reddit
It’s honestly as simple as not always updating for the latest and “greatest” right away.
The pro move is to accumulate multiple years worth of tech dept anyway.
ScottContini@reddit
Bun, trusted publishing, OIDC : three good controls but didn’t stop attacker who was already inside.
stormdelta@reddit
It's almost always npm. That entire ecosystem has been fucked since the beginning IMO, and vibe coding has only intensified it.
Even for CI / automation, npm is the number one culprit that causes weird problems compared to virtually any other ecosystem. Their dependency management is turbo-fucked, amplified by years and years of godawful design choices.
For example, to this day, npm still won't actually use the package lock file in a way that is consistent with literally any other ecosystem if you run
npm install. Yes, I'm well aware they want you to usenpm ciinstead, but it's emblematic of the kind of counterintuitive and bad design choices the ecosystem is riddled with.Delta-9-@reddit
This last month of constant NPM hacks makes me so glad to not be a JS developer.
aaulia@reddit
You must try their tooling. Having a codebase that started out with CRA, and then migrated to Vite and changing from Jest to Vitest, having build stuff changing from CJS to ESM, on top of that a single transitive dependency that doesn't support your new stuff will break your build. I spent more time fixing the tooling than coding. Dependency hell is real.
I was a C++ gamedev turned mobile dev, so my tolerance for any kind of warning, let alone error, from the compiler is none existence. But apparently for our web dev, having npm install screaming at you with warnings, security issues and potential breakage is just normal and they just code like nothing happened and as long as the build succeeded.
Zagerer@reddit
Oh yeah it’s baffling lmao, I’m a former C++ dev that became mobile and backend with js and people’s tolerance for errors is very low. But also, they kinda try not to deal with it by themselves if it’s too long. I’m like buddy have you seen templating errors in C++? This is nothing
randylush@reddit
i'm really trying to go the rest of my life without having to deal with it again. what an absolute chore
stormdelta@reddit
I do backend pipeline/development automation work, and I avoid going near the node.js services if I can help it as they're always a trainwreck.
Our python, Java, and Go-based projects are dramatically easier to deal with.
Crimson_Raven@reddit
fml that sounds exactly like my experience
Worth_Trust_3825@reddit
thats because the "security warnings" are effectively noise in npm. it does not help at all besides get you to ignore any security problems you would ever get, because they consider regex api misuse (if it leads to "ddos" (what ever the fuck that means in their world)) a critical security vulnerability. try building any project that just works™ today, and youll get at least 20 critical vulnerabilities, 100 high, and etc, and i fucking guarantee you that most of them will be "ddos via regex".
SkoomaDentist@reddit
LLM agent go BRR...
imp0ppable@reddit
Same here, I'd much rather be using Go or Python.
TBF the node people themselves are improving the ecosystem by being much more batteries included but they don't help themselves with things like the CJS to ESM switch. Since a lot of external dependencies have switched to ESM, now we have layers of dependencies in our repos with significant work required in each link of the chain to do the migration.
Some things just flat don't work any more like building out into an executable, we're stuck on a dodgy fork of an repo called
pkgfor the time being.pyabo@reddit
It's been that way for a decade at least.
Delta-9-@reddit
I mean, I was already glad to not be a JS developer, but now I'm glad, too.
witness_smile@reddit
At this point using NPM is a security risk of itself.
cake-day-on-feb-29@reddit
At any point using a microshit product has been a security risk, yet somehow they unfortunately still exist. People continue to think them owning GitHub and NPM is somehow a good thing, despite them time and time again showing they don't give a shit about security. They don't even care about security for their first-part language package manager, nugget or whatever.
ScottContini@reddit
I’m no fan of the current situation, but this comment is wrong. Microsoft was one of the leaders in bringing about secure development lifecycles following the 2023 gates memo. GitHub is accelerating a plan to reduce non supply chain risks, but GitHub has a lot of problems right now (not just security) and these things take time. To be fair, the writing was on the wall about npm a long time ago, but it wasn’t until hacker bot-claw did they respect the urgency. You can say they should have started this sooner, but it is very wrong to say they don’t care about security.
max123246@reddit
Oh wow, didn't know npm was owned by Microsoft
Sigmatics@reddit
Using npm has been disallowed in our org, I kid you not
InsidePlane5662@reddit
Does anyone know how to program in GDevelop?
sagarpatel1244@reddit
These keep landing because the entire npm model trusts code execution on install by default, and we've collectively decided that's fine. It isn't. A postinstall script running with your shell's full permissions the moment you npm install is the root cause, and self-propagating worms like this are the logical endgame.
What reduces blast radius (none of it new, all of it underused):
The uncomfortable truth: "move fast, install anything" was always a security posture, just an invisible one. We're getting the bill now. The fix isn't a tool, it's treating every dependency as untrusted code that runs on your machine, because that's exactly what it is.
programming-ModTeam@reddit
The real uncomfortable truth? The rules apply to those who don't read them. Blast radius: you.
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
stormdelta@reddit
Please don't use AI to write your comments.
Sigmatics@reddit
This comment is brought to you by Claude
SurpriseOk6927@reddit
this is next level scary. not a stolen token not a typo squat — the actual trusted pipeline shipped the malware. the self propagation through fake codeql workflows is genius evil. 32 packages sharing that publisher means reviewing one is nowhere near enough
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
saint1997@reddit
Lowercasing your comment doesn't make it any less obvious that it's AI
siriusfeynman@reddit
ai slop comment
smashedshanky@reddit
Figured. It’s always NPM
Altruistic-Spend-896@reddit
Thats it, im off npm. Back to vanilla js and wasm. Fuck you npm
Caraes_Naur@reddit
Reset the "days since NPM supply chain attack" counter back to
NaN.lurker_in_spirit@reddit
To fix that
NaNyou'll need the following:Crimson_Raven@reddit
npm install --save left-space
tsammons@reddit
pastebin really blew the opportunity to serve the void npm filled
Vectorial1024@reddit
No more "days since warthunder leak", now we do "days since NPM hack"
Dragon_yum@reddit
The warthunder leaks are always more entertaining though
thelordmad@reddit
- use something else than npm (pnpm)
- set min-release-age to 7 days
- disable post install scripts
- ???
- profit.
deadbeef1a4@reddit
Welp
snotreallyme@reddit
Am I reading here that this is yet another Github failure?
acdha@reddit
There’s not enough detail to say: the attacker appeared to have a valid token so it’s possible that this was something like a compromised engineer with the wrong VSCode extension (nx?) and too many privileges on their default access.
reivblaze@reddit
If there is anything worse than npm is vscode extensions.
dark_mode_everything@reddit
An npm security incident you say? Wow that's a really rare thing. This almost never happens.