🧐 What Am I Thinking This Week

If you have been following news about npm lately, you might already know they have been several incidents of supply-chain attacks happening on many popular packages. Here is a list of blog posts if you’d like to read more about them:

• Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident

• Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages

• CrowdStrike npm Packages Compromised in Ongoing Supply Chain Attack

What is Supply-Chain Attack

Instead of finding vulnerabilities in your system, supply-chain attack focuses on compromising part of the process that produces, updates, or distributes so malicious code can reach downstream users that trust and depend on your software. This includes but not limited to:

• Add malicious codes after obtaining OSS maintainer’s account

• Compromise CI/CD to alter distribution process for example adding malicious script that runs when installed

• Publish packages outside of proper process

Such attack is dangerous as it builds on trust.

Most users would update their dependencies without checking the change logs or announcements. Your secrets or tokens are leaked before you know it.

Repositories that were affected by Nx’s supply-chain attacks have found their public and private repos forked and made public which is essentially leaking source code to everyone even if you are a private organization.

What Can You Do?

Only run trusted code

What started the Nx attack was a commit that aimed to validate PR titles for all pull requests but didn't sanitize the title. Since it runs for all PR, attackers can write script in the title to steal secrets from the CI pipeline.

• Only run trusted code that are in your control

• Always sanitize input to avoid running malicious script accidentally

Version pinning

When you install package, there are flexibilities in which versions you’d like to install following the semantic versioning rule.

• Patch releases: 1.0 or 1.0.x or ~1.0.4

• Minor releases: 1 or 1.x or ^1.0.4

• Major releases: * or x

npm has a SemVer Calculator to check what versions are available given the semvar syntax.

Use semantic versioning is supposed to make receiving updates easier including those hot fixes or security fixes, but you are still exposed to the risks of installing malicious codes.

Package managers nowadays generate a separate lockfile that records the version of every direct and transitive dependency. This ensures project in different environments have the same version of dependencies. But if you remove the lockfile, node_modules, or update package.json, you might just update your dependencies without you knowing.

Pinning the exact version of your dependency is much safer. You do risk not have the latest updates and fixes but I personally prefer knowing what’s updated before I manually update them.

Setting minimumReleaseAge in pnpm

If you use pnpm in your project, in 10.16.0, you can set a minimumReleaseAge property in your pnpm-workspace.yaml file to define the minimum number of minutes a version has to be released for before pnpm will install it. This applies to all dependencies and goes along with semantic versioning.

This doesn’t solve the problem but does reduce the risk of installing malicious versions before they get pulled.

Disable postinstall

These attacks take advantage of the postinstall hook when installing a new dependency. The primary purpose was to automate tasks after a package is installed but to help mitigate the supply-chain attacks, you can disable these scripts but running:

npm install --ignore-scripts

or

npm config set ignore-scripts true

If you are using pnpm, it doesn't run postinstall scripts by default now and you need to use pnpm approve-builds or add --allow-build flag during installation. pnpm would usually ask you if you want to run the scripts if there are any.

💡The ONE thing I've found interesting

Apparently, Apple has added a custom CSS property that can apply Liquid Glass effect to elements. It’s not really available but the code is there and behind a flag that is not easy to turn on. I think it might look sick if it actually works and makes to public.

-apple-visual-effect: -apple-system-glass-material;

If you enjoyed this post, join over 100 fellow readers on this journey, subscribe and share to get fresh insights delivered straight to your inbox!