Tiny Homes (nytimes.com)

1 points by thelastgallon 1m ago 0 comments

Show HN: Web-based receipt splitter, no downloads, no accounts (split.narula.xyz)

1 points by narulaskaran 3m ago 0 comments

Yes, your Mac talks to itself. It's okay. (sixcolors.com)

1 points by CharlesW 3m ago 0 comments

Code Rush: The Beginnings of Netscape/Mozilla [video] (youtube.com)

1 points by CharlesW 5m ago 0 comments

Ask HN: How can we make the Asana API and integrations platform better?

1 points by pspeter3 5m ago 0 comments

Google Meet Service Disruption (google.com)

3 points by foxfired 9m ago 0 comments

All 54 lost clickwheel iPod games have now been preserved for posterity (arstechnica.com)

2 points by CharlesW 9m ago 1 comments

How to Avoid Knowledge Stagnation (marlonribunal.com)

1 points by MarlonPro 10m ago 0 comments

Space travel may accelerate the aging of stem cells as much as tenfold (nbcnews.com)

1 points by chapulin 10m ago 0 comments

Walling Off the Open Internet to Stop AI May End Up Breaking Everything Else (techdirt.com)

3 points by hn_acker 13m ago 2 comments

The Vector Bottleneck: Limitations of Embedding-Based Retrieval (shaped.ai)

3 points by emschwartz 15m ago 0 comments

Track AIPAC (trackaipac.com)

6 points by barrister 19m ago 0 comments

British 'Thor' becomes first person to swim 1000 miles around Iceland (news.sky.com)

1 points by austinallegro 19m ago 0 comments

Color NPM Package Compromised (fasterthanli.me)

14 points by coldblues 21m ago 1 comments

GitHub Actions is a trusted computing oracle (ethanheilman.com)

2 points by EthanHeilman 21m ago 0 comments

Google Dorking in Cybersecurity (kalilinuxtutorials.com)

1 points by thehacknews 22m ago 0 comments

Robinhood Markets to Join the S&P 500 Index (wsj.com)

1 points by garbawarb 22m ago 0 comments

Show HN: React AI Agent Chat SDK (github.com)

2 points by mifydev 23m ago 0 comments

New York's Airbnb Crackdown, in Force for 2 Years,Hasn't Improved Housing Supply (wsj.com)

2 points by Bostonian 24m ago 1 comments

Ask HN: How do you track what's backed up?

2 points by atomicnature 25m ago 1 comments

Making XML human-readable without XSLT (jakearchibald.com)

3 points by PaulHoule 26m ago 0 comments

My Mom and Dr. DeepSeek (restofworld.org)

1 points by bookofjoe 26m ago 0 comments

Ask HN: Looking for Some Guidance

1 points by rookie123 27m ago 2 comments

GPT-5: The Case of the Missing Agent (secondthoughts.ai)

1 points by paulpauper 28m ago 0 comments

KVComp: A High-Performance, LLM-Aware, Lossy Compression Framework for KV Cache (arxiv.org)

3 points by kstonekuan 29m ago 0 comments

SFPD let Georgia, Texas cops illegally search surveillance data on behalf of ICE (sfstandard.com)

6 points by chaps 29m ago 0 comments

U.S. colleges poised to close in next decade, expert says (spokesman.com)

4 points by paulpauper 29m ago 1 comments

America is in a serious jobs slump (cnn.com)

8 points by paulpauper 30m ago 1 comments

Shoot, Move, Communicate (ihoka.me)

1 points by ihoka81 31m ago 0 comments

Show HN: YouTubeMovieCatt: Free YouTube Movies Alert on X (x.com)

1 points by jdcampolargo 32m ago 0 comments

Crack the Program, Win a Book (crackmes.one)

1 points by ryanmerket 32m ago 0 comments

Can a bold 'social contract' make data sharing more palatable? (nature.com)

2 points by rntn 33m ago 0 comments

Escaping the Internet (ryanckulp.com)

5 points by freediver 33m ago 1 comments

An Introduction to SiFive's 2nd Gen AI accelerators [video] (youtube.com)

1 points by fork-bomber 33m ago 0 comments

Claude Code fails to fetch or create the GPL v3.0 license when asked

2 points by mccoyb 34m ago 0 comments

Trump's Made-in-USA Push Undermined by Hyundai Raid, Visa Flaws (bloomberg.com)

2 points by JumpCrisscross 35m ago 1 comments

Image descriptions (alt text) on Bluesky (digitalseams.com)

1 points by bobbiechen 37m ago 0 comments

India expands censorship powers, lets lower officials demand takedowns (aljazeera.com)

3 points by LordAtlas 38m ago 0 comments

Confidential video conferencing for the conversations that matter (proton.me)

1 points by teekert 39m ago 0 comments

False Confidence (theaiunderwriter.substack.com)

1 points by participant1138 39m ago 1 comments

OpenAI Backs AI-Generated Animated Film 'Critterz' (winbuzzer.com)

1 points by andsoitis 40m ago 0 comments

Jetson One Personal Electric Aerial Vehicle (jetson.com)

2 points by lisper 40m ago 0 comments

Quick demo of academic/PDF AI Agent built for researchers and students (youtube.com)

1 points by ieuanking 40m ago 1 comments

Google Meet Outage

2 points by thanhhaimai 41m ago 0 comments

Teaching a small embedding model with LLMs to deliver GPT-like semantics in 10ms (instantdomainsearch.com)

1 points by mattmmm 42m ago 1 comments

Ask HN: Help me! What should I do?

1 points by rookie123 44m ago 0 comments

Fenrir – Bootchain exploit for MediaTek devices (github.com)

2 points by captn3m0 44m ago 0 comments

Ask HN: What is your approach when building your own tooling?

1 points by toomuchtodo 44m ago 0 comments

iPhone Dumbphone (stopa.io)

37 points by joshmanders 44m ago 20 comments

What is askme360 and why now? (askme360.ai)

1 points by swareena25 45m ago 0 comments

Npm packages with over 1b weekly downloads, incl. Chalk, have been compromised.

11 DDerTyp 7 9/8/2025, 2:03:26 PM jdstaerk.substack.com ↗

Comments (7)

artooro · 2h ago

This looks pretty bad. Even if this only affects crypto wallets, I can't help but imagine how much worse this could be.

Another good read is at https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...

alaintno · 3h ago

How is it possible that this code (line 9 of the index.js) isn't present in the source github repo, but can be seen in the beta feature of npmjs.com?

Also, the package 1.3.3 has been downloaded 0 times according to npmjs.com, how can the writer of this article has been able to detect this and not increment the download counter?

DDerTyp · 3h ago

The discrepancy comes from how npm packages are published. What you see on GitHub is whatever the maintainer pushed to the repo, but what actually gets published to the npm registry doesn’t have to match the GitHub source. A maintainer (or someone with access) can publish a tarball that includes additional or modified files, even if those changes never appear in the GitHub repo. That’s why the obfuscated code shows up when inspecting the package on npmjs.com.

As for the “0 downloads” count: npm’s stats are not real-time. There’s usually a delay before download numbers update, and in some cases the beta UI shows incomplete data. Our pipeline picked up the malicious version because npm install resolved to it based on semver rules, even before the download stats reflected it. Running the build locally reproduced the same issue, which is how we detected it without necessarily incrementing the public counter immediately.

alaintno · 3h ago

I see, thanks for the explanations, and thanks for warning us about this!

Jenk · 2h ago

It can also be that the repo was modified after a release.

DDerTyp · 2h ago

It looks like a lot of packages of the author have been compromised (in total over 1 billion downloads). I've updated the title an added information to the blog post.

DDerTyp · 3h ago

Update: It seems like all packages of the author got hacked.