fp.

AI detected potential malware. Plus a bunch of words. Is this a real thing? It does look like all the other npm compromise notes. But the page has AI and potential written on it, so the whole thing may be fabricated, and there are no other comments here.

So on balance I guess I'll ignore it. What a time to be a developer.

seanieb•11m ago

socket.dev is a well known a reputable company, and their founder is pretty well known and trusted too. And looking that their blog post it looks like detected a real attack.

kevin_thibedeau•1h ago

To avoid LeftPad 3.0 they're going to have to add some sort of signed capabilities manifest to restrict API access for these narrow domain packages. Then attackers would limited to targeting those with network privileges.

aussieguy1234•59m ago

They're scanning for credentials. If they can get things like AWS credentials, I would expect to see cloud crypto mining as their next move. So it would be a good idea to keep an eye on your infra if you are affected.

efortis•55m ago

Mitigate it with:

  echo "ignore-scripts=true" >> ~/.npmrc

https://blog.uxtly.com/getting-rid-of-npm-scripts

jimmyl02•6m ago

this being the 2nd large compromise of the week is not boding well from the NPM ecosystem...

supply chain is and has been the new gold mine for bad actors it seems

seanieb•36s ago

There have been practical suggestions that could prevent this but NPM has not yet adopted:

- Prevent publishing new package versions for 24–48 hours after account credentials are changed.

- Require support for security keys.