NPM packages from RedHat have been compromised

1. javascript-clients

   1 5 4 - TypeScript

   Javascript clients for swagger API

   

   This repository itself had to previously update from the axios supply chain attack [0] (co-authored by Claude lol). But just by looking at the change itself, the package is unpinned and won't solve the problem if it happens again as a illegitimate "security update".

   So if you have an unpinned version of this package and you run 'npm install', you immediately downloaded the compromised version and that's that.

   [0] https://github.com/RedHatInsights/javascript-clients/commit/...

2. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

3. Nuget Package Manager

   2 35 1,547 6.8 HTML

   Repo for NuGet Client issues (by NuGet)

   

   >> In every of these threads there's a bunch of snarky comments, either acting like this class of attack is exclusive to npm, or that nothing has been done about it. I don't think that's fair.

   > … the classic "no way to avoid this" The Onion article

   But isn't point of The Onion article that A) the US has >50x as many incidents as the rest of the developed world combined [1], and yet B) acts like there is "no way to avoid this". Does NPM have >50x as many incidents as the rest of established languages combined? Is NPM claiming there is "no way to avoid this" or are they putting in place things like automatic install delays?

   While all the major js package managers already support install delays, none of the big local C#/dotnet/nuget apps do (Visual Studio/Rider/nuget/dotnet/VS Code). https://github.com/NuGet/Home/issues/14657

   [1] https://edition.cnn.com/2018/05/21/us/school-shooting-us-ver...

4. uWebSockets.js

   3 37 9,102 9.2 C++

   μWebSockets for Node.js back-ends :metal:

   

   I came across this interesting rant the other day. https://github.com/uNetworking/uWebSockets.js/blob/master/mi...

   It does make sense that the right way would be to fork every dependency you use and install from your fork reviewing and merging from upstream as needed. Would be a giant PITA though. :)

5. sharp

   4 118 32,329 8.6 JavaScript

   High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, AVIF and TIFF images. Uses the libvips library.

   

   Some packages need to build native dependencies. sharp for example needs to build libvips on the system [0] to work

   0: https://github.com/lovell/sharp/blob/main/install/build.js

6. rfcs

   5 39 768 5.8 JavaScript

   Public change requests/proposals & ideation (by npm)

   

   > they've taken no action.

   Not running lifecycle scripts by default is eventually going to be the default behavior. Late is worse than not at all. https://github.com/npm/rfcs/pull/868

7. pgpverify-maven-plugin

   6 1 53 - Java

   Verify Open PGP / GPG signatures plugin

   

   https://github.com/s4u/pgpverify-maven-plugin

   If you want paranoid mode, you can verify literally every part of the maven build process.

8. package-manager-hardening

   7 1 11 - Python

   A non-exhaustive list of package manager hardening recommendations to help prevent supply chain vulnerability attacks. Includes AGENTS.md files and skills to enforce these recommendations.

   

   A friend of mine has a github repo with references to how to set things up in sane and slightly more secure manner: https://github.com/jordanconway/package-manager-hardening

9. cli

   8 101 9,831 9.7 JavaScript

   the package manager for JavaScript (by npm)

   

   They have taken action as of very recently. The latest version [1] of npm warns when there are install scripts and tells you they will be disabled by default in a future version, with a per-dependency opt in mechanism [2].

   [1] https://github.com/npm/cli/releases/tag/v11.16.0

   [2] https://github.com/npm/rfcs/pull/868

10. platform-frontend-ai-toolkit

    9 1 4 - TypeScript

    A set of helpful coding AI tooling for frontend development

    

Suggest a related project