Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Oh a new exploit, I wonder if npm is involved at all"

Yup. Every time, I guess it's one of the most common attack vectors, can we do anything to secure NPM more against these supply chain attacks? I swear NPM is always involved in all sizable attack vectors these days.



To be fair in this case it looks like npm was used as a way to run arbitrary code in a way that wouldn't look out of place immediately in a PKGBUILD file. All of this could have been done from within the install hook or anywhere else really in the PKGBUILD, it would've just been more obvious at a cursory glance if there was now randomly a curl | bash in the file.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: