[kwlug-disc] NPM supply chain worm
Jonathan Poole
jpoole at digitaljedi.ca
Wed Sep 17 19:29:00 EDT 2025
Ahhh NPM the spice of life….
Sent from my iPhone
On Sep 17, 2025, at 7:02 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
I have always thought that NPM's governance makes
NPM packages a very insecure platform to build stuff on.
For years, whenever I have encountered a nifty piece
of software that I need, but it requires NPM, I would
definitely pass.
Now there is another example of a supply chain attack where
a self replicating worm (dubbed Shai Hulud, Dune fans will
know the relation).
https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html <https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html>
https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack <https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack>
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again <https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again>
--
Khalid M. Baheyeldin
_______________________________________________
kwlug-disc mailing list
To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
with the subject "unsubscribe", or email
kwlug-disc-owner at kwlug.org to contact a human being.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250917/25837f95/attachment-0001.htm>
More information about the kwlug-disc
mailing list