92 comments

[ 3.1 ms ] story [ 80.4 ms ] thread
Redhat's entire reason for existence is to prevent this.
This is a completely unexpected turn of events that no one could have possibly foreseen.
At some point, they need a new system for these "packages", you've got to be insane to install any of these right now.
Given they use nx my bet is on developer laptop compromise through the nx vscode extension that also compromised GitHub engineer's laptop
I came across this interesting rant the other day: https://github.com/uNetworking/uWebSockets.js/blob/master/mi...

It does make sense that the right way would be to fork every dependency you use and install from your own repo reviewing and merging from upstream as needed. Would be a giant PITA though. :)

Built Packj [1] to audit dependencies easily from CLI.

1. Packj (https://github.com/ossillate-inc/packj) detects malicious PyPI/NPM/Ruby/PHP/etc. dependencies using behavioral analysis. It uses static+dynamic code analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect bad actors (e.g., typo squatting).

Some of us have been doing this for years or decades, including for our desktop OS.

Gentoo graybeards know.

This repository itself had to previously update from the axios supply chain attack [0] (co-authored by Claude lol). But just by looking at the change itself, the package is unpinned and won't solve the problem if another malicious security update happens again.

So if you have an unpinned version of this package and you run 'npm install', you immediately downloaded the compromised version and that's that.

[0] https://github.com/RedHatInsights/javascript-clients/commit/...

Looks like RedHat got compromised by a Black Hat…
Chainguard based images, packages and libraries are first line of defense. Expensive? Yes. Foolproof? No. I think these types services will be mandatory in the near future.
I've made it a habit now to use the --before=2026-05-30 flag when installing packages, where it'll pick the version released before the date you specify, I usually pick around 5 days ago
One thing I've never understood is why NPM allows packages to run code immediately after they are installed. What's the use case for that? A package should just be some code you can call on at runtime
Some packages with native code components (like sharp) will use these hooks to download the correct precompiled native binary for you.
When will npm issues stop ? This has become a big pain !
man we gotta do smth with preinstall hooks atp
(comment deleted)
if RedHat is unable to secure their packages, what can we expect from mere mortals...