"No Way To Prevent This" Says Only Package Ecosystem Where This Regularly Happens
Shai-Hulud Returns: Over 300 NPM Packages infected via Fake Bun Runtime Within Hours
one honk maybe more
mahryekuh@hachyderm...
replied 24 Nov 2025 11:36 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vl8hjtG8NZbcbZfPGD
@benjojo Any package distribution ecosystem could fall prey to this, but it's painful that it's NPM again.
benjojo
replied 24 Nov 2025 11:42 +0000
in reply to: https://hachyderm.io/users/mahryekuh/statuses/115604467407364319
@mahryekuh what do you mean by distributed package ecosystem? Surely NPM is just github owned and operated? I know that this occasionally happens to the Python ecosystem, but I don't really know other cases where this kind of active maliciousness (especially the ones that are effectively worms) happen in other languages
mahryekuh@hachyderm...
replied 24 Nov 2025 12:13 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/f4D41MZHV6pz37692w
@benjojo I was thinking of “package distribution ecosystem” and not “distributed package ecosystem”. So a language snafu on my side.
soc@chaos.social
replied 24 Nov 2025 12:21 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vl8hjtG8NZbcbZfPGD
@benjojo Meanwhile Maven Central is well-protected, considering library authors can barely navigate the byzantine labyrinth of rules, conventions and configuration to publish their own legitimate packages.
benjojo
replied 24 Nov 2025 12:22 +0000
in reply to: https://chaos.social/users/soc/statuses/115604643709016514
@soc and no one's heard from the CPAN guys in at least a decade, so we can only assume that they're just having fun down there
castaway@fosstodon.o..
replied 25 Nov 2025 07:17 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/JYkV2gZP2sKlSX1B1V
benjojo
replied 24 Nov 2025 11:34 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vl8hjtG8NZbcbZfPGD
I guess it's funny to laugh at the JS people, but it seems like the rust ecosystem is ripe for this kind of thing too... Github's lack of care (it seems) to NPM (and general actions security etc) seems to be the main attrator to this, that and the wider usage (Plus instant deployment from git stuff) of the javascript ecosystem