225
submitted 3 months ago by qaz@lemmy.world to c/selfhosted@lemmy.world
top 12 comments
sorted by: hot top controversial new old
[-] eskuero@lemmy.fromshado.ws 36 points 3 months ago* (last edited 3 months ago)

You can mitigate similar attacks by editing your .npmrc

min-release-age=7 # days
ignore-scripts=true
[-] PetteriPano@lemmy.world 39 points 3 months ago

It's a good way to keep the exploit around for seven days, too, if you apply it right away.

[-] taco_shale032@lemmy.ml 7 points 3 months ago

I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.

[-] eskuero@lemmy.fromshado.ws 11 points 3 months ago

As long as the bot is not allowed to automatically merge minor version bumps in libraries...

[-] magikmw@piefed.social 3 points 3 months ago

Well yes, one can misuse any tool.

[-] eskuero@lemmy.fromshado.ws 2 points 3 months ago

How? If you got hit by this you are looking at restoring the system from a safe previous version.

And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version...

[-] TechnoCat@piefed.social 22 points 3 months ago

I always advocate switching to pnpm where install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.

[-] techpeakedin1991@lemmy.ml 5 points 3 months ago

Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.

[-] TechnoCat@piefed.social 4 points 3 months ago

Minimum age would have prevented it in this case.

[-] prettygorgeous@aussie.zone 2 points 3 months ago

Just ask Australian how well minimum age verification works!

[-] TechnoCat@piefed.social 4 points 3 months ago

On closer inspection, preventing post-install would have fixed it too: "The attack exploited a transitive dependency, plain-crypto-js@4.2.1, which executed a postinstall script to deploy the RAT."

[-] fizzle@quokk.au 7 points 3 months ago

Doesn't seem to have been live for very long.

this post was submitted on 31 Mar 2026
225 points (100.0% liked)

Selfhosted

60758 readers
126 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS