this post was submitted on 15 Oct 2025
6 points (80.0% liked)

Sysadmin

11623 readers
41 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world
6
NPM Supply Chain Attack: Is the Coast Clear? (lemmy.world)
submitted 4 weeks ago by BombOmOm@lemmy.world to c/sysadmin@lemmy.world
2 comments fedilink hide all child comments
 

About a month ago NPM was compormised. It was advised to lock versions to before the compromise.

However, one eventually needs to unlock and start getting updates again. Does anybody know if the coast is clear, or possibly a place that is tracking known compromised packages and their current status?

you are viewing a single comment's thread
view the rest of the comments
[–] roadrunner_ex@lemmy.ca 4 points 4 weeks ago

Yes and no. The truth of the matter is supply-chain attacks in any repository are almost impossible to fully mitigate. The attack you linked sounds like a big and successful attack, but there are more minor attack attempts all the time. It’s the blessing and curse of every package manager that anyone can upload almost anything.

The upshot is that the most active repos have the most eyes. Not to say an attack won’t fly under the radar, but if the React or Angular packages (or their dependencies) start acting weird, it’s more likely that someone will notice, as there are people dedicated to auditing such things.

Furthermore, a lot of the smaller packages do “one thing” (see the infamous is-even package), so they are small and easy to self-audit if you are paranoid enough.

It’s not perfect, and there will always be more headlines about the next big attack, but it’s still a boon overall IMO.