HackerTrans
TopNewTrendsCommentsPastAskShowJobs

DDerTyp

no profile record

Submissions

Node.js Security Fix Silently Broke node-fetch, which broke other tools

jdstaerk.substack.com
4 points·by DDerTyp·22 giorni fa·1 comments

Node-Fetch on latest Node Update broken

github.com
4 points·by DDerTyp·22 giorni fa·0 comments

Ask HN: What would you like to be working on?

8 points·by DDerTyp·2 mesi fa·11 comments

Nobel Peace Prize 2025: Venezuelan Politician Maria Corina Machado

bbc.com
18 points·by DDerTyp·9 mesi fa·11 comments

30–60–90-day guide to leading your new dev team like a pro

kamenistak.com
1 points·by DDerTyp·9 mesi fa·0 comments

GitHub: Our plan for a more secure NPM supply chain

github.blog
2 points·by DDerTyp·10 mesi fa·0 comments

The September NPM Attack Was a Warning. Are We Listening?

jdstaerk.substack.com
2 points·by DDerTyp·10 mesi fa·0 comments

Npm packages with over 1b weekly downloads, incl. Chalk, have been compromised.

jdstaerk.substack.com
23 points·by DDerTyp·10 mesi fa·1 comments

comments

DDerTyp
·4 mesi fa·discuss
Can you elaborate more about this? Why is it irrelevant in Western Europe?
DDerTyp
·9 mesi fa·discuss
Obvious comment to various Amazon price trackers like https://keepa.com/
DDerTyp
·10 mesi fa·discuss
TIL: I need to fix my CI pipeline. Gonna create a jira ticket I guess…

Thank you!
DDerTyp
·10 mesi fa·discuss
You’re right and the excerpt you quoted was poorly worded and confusing. A lockfile is designed to do exactly what you said.

The package.json locked the file to ^1.3.2. If a newer version exists online that still satisfies the range in package.json (like 1.3.3 for ^1.3.2), npm install will often fetch that newer version and update your package-lock.json file automatically.

That’s how I understand it / that’s my current knowledge. Maybe there is someone here who can confirm/deny that. That would be great!
DDerTyp
·10 mesi fa·discuss
Noticed that after ten mins, contacted author immediatly and he seems to be working on it / restoring his account / removing malware on published packages.

Kinda "proud" on it haha :D
DDerTyp
·10 mesi fa·discuss
One of the most insidious parts of this malware's payload, which isn't getting enough attention, is how it chooses the replacement wallet address. It doesn't just pick one at random from its list.

It actually calculates the Levenshtein distance between the legitimate address and every address in its own list. It then selects the attacker's address that is visually most similar to the original one.

This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit of only checking the first and last few characters of an address before confirming a transaction.

We did a full deobfuscation of the payload and analyzed this specific function. Wrote up the details here for anyone interested: https://jdstaerk.substack.com/p/we-just-found-malicious-code...

Stay safe!
DDerTyp
·10 mesi fa·discuss
It looks like a lot of packages of the author have been compromised (in total over 1 billion downloads). I've updated the title an added information to the blog post.
DDerTyp
·10 mesi fa·discuss
Update: It seems like all packages of the author got hacked.
DDerTyp
·10 mesi fa·discuss
The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.