HN Reader

Google Meet Outage

3 points by thanhhaimai 2h ago 0 comments

Ask HN: I can't remember the name of a AI CLI tool I saw a few weeks ago

3 points by explosion-s 2h ago 6 comments

Not caring enough about money?

2 points by bsuki 2h ago 4 comments

Ask HN: How to take notes and learn from them?

4 points by spacebuffer 5h ago 7 comments

Claude Code fails to fetch or create the GPL v3.0 license when asked

2 points by mccoyb 1h ago 0 comments

Ask HN: Looking for headless CMS recommendation

83 points by rakshithbellare 8d ago 87 comments

Ask HN: Good resources for DIY-ish animatronic kits for Halloween?

4 points by xrd 1d ago 0 comments

Ask HN: How much can we trust open-source projects or our hardware?

3 points by solosquad 18h ago 7 comments

Ask HN: Who wants to be hired? (September 2025)

122 points by whoishiring 7d ago 358 comments

Ask HN: Who is hiring? (September 2025)

264 points by whoishiring 7d ago 392 comments

Ask HN: How to avoid passive use of AI?

6 points by uscnep-hn 1d ago 10 comments

Ask HN: Can an amateur make contributions to pure math or theoretical physics?

4 points by career_question 23h ago 10 comments

Raku.org Chooses Htmx

11 points by librasteve 1d ago 8 comments

Ask HN: Are api.nasa.gov, data.nasa.gov down or shutdown?

15 points by srameshc 1d ago 1 comments

Why the Technological Singularity May Be a "Big Nothing"

7 points by starchild3001 1d ago 8 comments

Ask HN: Significant reduction in AI related submissions?

8 points by 3vidence 1d ago 7 comments

Automated Workday check in/check out and Microsoft Teams messages monitoring

4 points by quacktheboss 1d ago 0 comments

Ask HN: Is Reddit going the way of Stack Overflow?

11 points by NotAnOtter 15h ago 18 comments

If AI agents take the jobs, who buys the stuff?

22 points by babua 3d ago 20 comments

Ask HN: Why does Google word privacy settings like you agree even when off?

29 points by matesz 5d ago 21 comments

Ask HN: What do you think of the new Digg?

5 points by LorenDB 1d ago 5 comments

Ask HN: Moving from Dev to PM

5 points by madmonk 2d ago 8 comments

Ask HN: Is your company still hiring junior engineers?

44 points by wafflemaker 6d ago 60 comments

New Member Alert

3 points by FatMike 2d ago 4 comments

Ask HN: How long did it take you to learn Git?

7 points by Forgret 1d ago 11 comments

Tell HN: My advice after I applied to 450 positions before getting hired

135 points by usernamed7 9d ago 179 comments

Ask HN: LLM struggles to center div too?

4 points by divan 2d ago 6 comments

Ask HN: Useful AI applications in regular businesses?

9 points by dmos62 2d ago 1 comments

Ask HN: Why do LLMs struggle with word count?

2 points by rishikeshs 2d ago 4 comments

A16Z scouting ambitious Swiss founders for $1M accelerator

3 points by boggsss 2d ago 1 comments

ASIC: Proof-of-Concept Binary Optimizer Reduces Size, More to Come

2 points by Forgret 2d ago 4 comments

Ask HN: How do you fight YouTube addiction and procrastination? I'm struggling

149 points by angelochecked 8d ago 148 comments

Ask HN: When was the last time you visited Stack Overflow?

14 points by TimLeland 4d ago 25 comments

Ask HN: VSCode AI Autocomplete Woes

4 points by blinkbat 4d ago 4 comments

Npm packages with over 1b weekly downloads, incl. Chalk, have been compromised.

19 DDerTyp 7 9/8/2025, 2:03:26 PM jdstaerk.substack.com ↗

Comments (7)

artooro · 4h ago
This looks pretty bad. Even if this only affects crypto wallets, I can't help but imagine how much worse this could be.

Another good read is at https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...

alaintno · 5h ago
How is it possible that this code (line 9 of the index.js) isn't present in the source github repo, but can be seen in the beta feature of npmjs.com?

Also, the package 1.3.3 has been downloaded 0 times according to npmjs.com, how can the writer of this article has been able to detect this and not increment the download counter?

DDerTyp · 4h ago
The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.

alaintno · 4h ago
I see, thanks for the explanations, and thanks for warning us about this!
Jenk · 4h ago
It can also be that the repo was modified after a release.
DDerTyp · 3h ago
It looks like a lot of packages of the author have been compromised (in total over 1 billion downloads). I've updated the title an added information to the blog post.
DDerTyp · 4h ago
Update: It seems like all packages of the author got hacked.