Show HN: Auto-Unpublish NPM Packages Published Outside CI

https://github.com/telophasehq/tangent-plugins/tree/main/detections/sha1hulud/npmcicorrelation

5•ethanblackburn•1h ago

A lot of vendors and open-source projects shared guidance on protecting users from downloading malicious NPM packages after the Shai-Hulud campaign — but almost nothing focused on protecting maintainers from accidentally (or maliciously) publishing them.

So we built a small tool that continuously monitors your NPM packages and automatically unpublishes any version not produced by your CI workflow.

Comments

mubou2•1h ago

> keeps your release process clean, reproducible

How does it do either of these two things, exactly?

> and locked down

It doesn't lock anything down, in fact it only serves a purpose if your CI isn't locked down. Your npm token should not be visible to anything except npm. If it is, then you've got far bigger problems.

At best, this only serves as a reactionary warning / damage control in case your CI is compromised, i.e. after you've already been pwned. Which is all well and good, don't get me wrong, but pretending it "protects" you from anything is giving a false sense of security.

ethanblackburn•52m ago

Fair points — this isn’t a preventative control and it doesn’t “lock down” your CI. If an attacker has your NPM token, you’ve already been pwned.

The goal is to stop the spread. This will quickly unpublish a library and alert you, so no one else is downloading the compomised package, like what happened with posthog.

418 I'm a Teapot

From Code Reader to Intent Architect

Javalab Science Simulations: Structure of an Atom

Show HN: My portfolio is a retro terminal with a virtual file system and more

At the Boundary Between Waking Life and Sleep, What Happens in the Brain?

How AI Is Learning to Think Like a Doctor Across Every Medical Specialty

Quitting My Job for the Way of Pain

The programmers who live in Flatland

Delivering Value Without the Weight of Over-Engineering

There Is No Time for This (2015)

HN- Built a self-upgrading AI with an emotional OS and secured file system

AgentBar-The Open Source Monica.an AI-Powered Text Enhancement Toolbar

LeanSpec: High Dev Velocity from Spec Coding

How to Rev Up Your Rails Development with MCP

A modern full-stack social platform to connect with nearby friends

Apple iPhone shipments to beat Samsung for the first time in 14 years

GitLab discovers widespread NPM supply chain attack

The Trouble with Checked Exceptions

IETF Internet-Draft: Passive Hot Reload for zero-downtime server reconfiguration

Protect Public School Students from Surveillance of Off-Campus Speech

Most OpenDoor investors recognize turnaround plan doesn't solve biggest problem

Franksgiving

Show HN: Z-Image.app – Free, no-login demo for Z-Image-Turbo

Show HN: I built a low-level crypto lib that adds passwords to wallet mnemonics

The writer who dared criticize Silicon Valley

Show HN: PythonStark – Educational Python ZK-Stark Implementation

Taiwan raids former TSMC exec's home and seizes his shares and real estate

Apple's Second Limited-Edition Accessory in a Month: Hikawa Phone Grip and Stand

Did the UK budget leak because of WordPress?

Show HN: Video Frame Extractor – Extract Frames from Videos Oline