HackerTrans
トップ新着トレンドコメント過去質問紹介求人

DDerTyp

no profile record

投稿

Node.js Security Fix Silently Broke node-fetch, which broke other tools

jdstaerk.substack.com
4 ポイント·投稿者 DDerTyp·22 日前·1 コメント

Node-Fetch on latest Node Update broken

github.com
4 ポイント·投稿者 DDerTyp·22 日前·0 コメント

Ask HN: What would you like to be working on?

8 ポイント·投稿者 DDerTyp·2 か月前·11 コメント

Nobel Peace Prize 2025: Venezuelan Politician Maria Corina Machado

bbc.com
18 ポイント·投稿者 DDerTyp·9 か月前·11 コメント

30–60–90-day guide to leading your new dev team like a pro

kamenistak.com
1 ポイント·投稿者 DDerTyp·9 か月前·0 コメント

GitHub: Our plan for a more secure NPM supply chain

github.blog
2 ポイント·投稿者 DDerTyp·10 か月前·0 コメント

The September NPM Attack Was a Warning. Are We Listening?

jdstaerk.substack.com
2 ポイント·投稿者 DDerTyp·10 か月前·0 コメント

Npm packages with over 1b weekly downloads, incl. Chalk, have been compromised.

jdstaerk.substack.com
23 ポイント·投稿者 DDerTyp·10 か月前·1 コメント

コメント

DDerTyp
·4 か月前·議論
Can you elaborate more about this? Why is it irrelevant in Western Europe?
DDerTyp
·9 か月前·議論
Obvious comment to various Amazon price trackers like https://keepa.com/
DDerTyp
·10 か月前·議論
TIL: I need to fix my CI pipeline. Gonna create a jira ticket I guess…

Thank you!
DDerTyp
·10 か月前·議論
You’re right and the excerpt you quoted was poorly worded and confusing. A lockfile is designed to do exactly what you said.

The package.json locked the file to ^1.3.2. If a newer version exists online that still satisfies the range in package.json (like 1.3.3 for ^1.3.2), npm install will often fetch that newer version and update your package-lock.json file automatically.

That’s how I understand it / that’s my current knowledge. Maybe there is someone here who can confirm/deny that. That would be great!
DDerTyp
·10 か月前·議論
Noticed that after ten mins, contacted author immediatly and he seems to be working on it / restoring his account / removing malware on published packages.

Kinda "proud" on it haha :D
DDerTyp
·10 か月前·議論
One of the most insidious parts of this malware's payload, which isn't getting enough attention, is how it chooses the replacement wallet address. It doesn't just pick one at random from its list.

It actually calculates the Levenshtein distance between the legitimate address and every address in its own list. It then selects the attacker's address that is visually most similar to the original one.

This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit of only checking the first and last few characters of an address before confirming a transaction.

We did a full deobfuscation of the payload and analyzed this specific function. Wrote up the details here for anyone interested: https://jdstaerk.substack.com/p/we-just-found-malicious-code...

Stay safe!
DDerTyp
·10 か月前·議論
It looks like a lot of packages of the author have been compromised (in total over 1 billion downloads). I've updated the title an added information to the blog post.
DDerTyp
·10 か月前·議論
Update: It seems like all packages of the author got hacked.
DDerTyp
·10 か月前·議論
The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.