HackerTrans
TopNewTrendsCommentsPastAskShowJobs

DDerTyp

no profile record

Submissions

Node.js Security Fix Silently Broke node-fetch, which broke other tools

jdstaerk.substack.com
4 points·by DDerTyp·22 दिन पहले·1 comments

Node-Fetch on latest Node Update broken

github.com
4 points·by DDerTyp·22 दिन पहले·0 comments

Ask HN: What would you like to be working on?

8 points·by DDerTyp·2 माह पहले·11 comments

Nobel Peace Prize 2025: Venezuelan Politician Maria Corina Machado

bbc.com
18 points·by DDerTyp·9 माह पहले·11 comments

30–60–90-day guide to leading your new dev team like a pro

kamenistak.com
1 points·by DDerTyp·9 माह पहले·0 comments

GitHub: Our plan for a more secure NPM supply chain

github.blog
2 points·by DDerTyp·10 माह पहले·0 comments

The September NPM Attack Was a Warning. Are We Listening?

jdstaerk.substack.com
2 points·by DDerTyp·10 माह पहले·0 comments

Npm packages with over 1b weekly downloads, incl. Chalk, have been compromised.

jdstaerk.substack.com
23 points·by DDerTyp·10 माह पहले·1 comments

comments

DDerTyp
·4 माह पहले·discuss
Can you elaborate more about this? Why is it irrelevant in Western Europe?
DDerTyp
·9 माह पहले·discuss
Obvious comment to various Amazon price trackers like https://keepa.com/
DDerTyp
·10 माह पहले·discuss
TIL: I need to fix my CI pipeline. Gonna create a jira ticket I guess…

Thank you!
DDerTyp
·10 माह पहले·discuss
You’re right and the excerpt you quoted was poorly worded and confusing. A lockfile is designed to do exactly what you said.

The package.json locked the file to ^1.3.2. If a newer version exists online that still satisfies the range in package.json (like 1.3.3 for ^1.3.2), npm install will often fetch that newer version and update your package-lock.json file automatically.

That’s how I understand it / that’s my current knowledge. Maybe there is someone here who can confirm/deny that. That would be great!
DDerTyp
·10 माह पहले·discuss
Noticed that after ten mins, contacted author immediatly and he seems to be working on it / restoring his account / removing malware on published packages.

Kinda "proud" on it haha :D
DDerTyp
·10 माह पहले·discuss
One of the most insidious parts of this malware's payload, which isn't getting enough attention, is how it chooses the replacement wallet address. It doesn't just pick one at random from its list.

It actually calculates the Levenshtein distance between the legitimate address and every address in its own list. It then selects the attacker's address that is visually most similar to the original one.

This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit of only checking the first and last few characters of an address before confirming a transaction.

We did a full deobfuscation of the payload and analyzed this specific function. Wrote up the details here for anyone interested: https://jdstaerk.substack.com/p/we-just-found-malicious-code...

Stay safe!
DDerTyp
·10 माह पहले·discuss
It looks like a lot of packages of the author have been compromised (in total over 1 billion downloads). I've updated the title an added information to the blog post.
DDerTyp
·10 माह पहले·discuss
Update: It seems like all packages of the author got hacked.
DDerTyp
·10 माह पहले·discuss
The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.