undefined | Better HN

0 pointsmerelysounds4mo ago0 comments

There is an explanation in the article:

> it modifies package.json based on the current environment's npm configuration, injects [malicious] setup_bun.js and bun_environment.js, repacks the component, and executes npm publish using stolen tokens, thereby achieving worm-like propagation.

This is the second time an attack like this happens, others may be familiar with this context already and share fewer details and explanations than usual.

Previous discussions: https://news.ycombinator.com/item?id=45260741

0 comments

tasuki4mo ago

I don't get this explanation. How does it force you to run the infection code?

Yes, if you depend on an infected package, sure. But then I'd expect not just a list, but a graph outlining which package infected which other package. Overall I don't understand this at all.

merelysoundsOP4mo ago

Look at the diff in the article, it shows the “inject” part: the malicious file is added to the “preinstall” attribute in the package.json.

tasuki4mo ago

I still don't get it. Like, I understand that if you apply the diff you get infected. But... why would you apply the diff? How would you trick me to apply that diff to my package?

1 more reply

vintagedave4mo ago

Thanks. I saw that sentence but somehow didn't parse it. Need a coffee :/

j / k navigate · click thread line to collapse

0 pointsmerelysounds4mo ago0 comments

There is an explanation in the article:

This is the second time an attack like this happens, others may be familiar with this context already and share fewer details and explanations than usual.

Previous discussions: https://news.ycombinator.com/item?id=45260741

0 comments

tasuki4mo ago

I don't get this explanation. How does it force you to run the infection code?

Yes, if you depend on an infected package, sure. But then I'd expect not just a list, but a graph outlining which package infected which other package. Overall I don't understand this at all.

merelysoundsOP4mo ago

Look at the diff in the article, it shows the “inject” part: the malicious file is added to the “preinstall” attribute in the package.json.

tasuki4mo ago

I still don't get it. Like, I understand that if you apply the diff you get infected. But... why would you apply the diff? How would you trick me to apply that diff to my package?

1 more reply

vintagedave4mo ago

Thanks. I saw that sentence but somehow didn't parse it. Need a coffee :/

j / k navigate · click thread line to collapse