"No Way To Prevent This" Says Only Package Ecosystem Where This Regularly Happens
Shai-Hulud Returns: Over 300 NPM Packages infected via Fake Bun Runtime Within Hours
one honk maybe more
mahryekuh@hachyderm...
replied 24 Nov 2025 11:36 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vl8hjtG8NZbcbZfPGD
@benjojo Any distributed package ecosystem could fall prey to this, but it's painful that it's NPM again.
benjojo
replied 24 Nov 2025 11:42 +0000
in reply to: https://hachyderm.io/users/mahryekuh/statuses/115604467407364319
@mahryekuh what do you mean by distributed package ecosystem? Surely NPM is just github owned and operated? I know that this occasionally happens to the Python ecosystem, but I don't really know other cases where this kind of active maliciousness (especially the ones that are effectively worms) happen in other languages
benjojo
replied 24 Nov 2025 11:34 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vl8hjtG8NZbcbZfPGD
I guess it's funny to laugh at the JS people, but it seems like the rust ecosystem is ripe for this kind of thing too... Github's lack of care (it seems) to NPM (and general actions security etc) seems to be the main attrator to this, that and the wider usage (Plus instant deployment from git stuff) of the javascript ecosystem