this post was submitted on 31 Mar 2026
216 points (100.0% liked)

Selfhosted

56958 readers
808 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
216
Axios JavaScript library has been compromised with malware in supply chain attack (github.com)
submitted 1 month ago by qaz@lemmy.world to c/selfhosted@lemmy.world
12 comments fedilink hide all child comments
top 12 comments
sorted by: hot top controversial new old
[–] eskuero@lemmy.fromshado.ws 35 points 1 month ago* (last edited 1 month ago) (1 children)

You can mitigate similar attacks by editing your .npmrc

min-release-age=7 # days
ignore-scripts=true
[–] PetteriPano@lemmy.world 35 points 1 month ago (2 children)

It's a good way to keep the exploit around for seven days, too, if you apply it right away.

[–] taco_shale032@lemmy.ml 7 points 1 month ago (1 children)

I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.

[–] eskuero@lemmy.fromshado.ws 10 points 1 month ago (1 children)

As long as the bot is not allowed to automatically merge minor version bumps in libraries...

[–] magikmw@piefed.social 2 points 1 month ago

Well yes, one can misuse any tool.

[–] eskuero@lemmy.fromshado.ws 2 points 1 month ago

How? If you got hit by this you are looking at restoring the system from a safe previous version.

And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version...

[–] TechnoCat@piefed.social 19 points 1 month ago (1 children)

I always advocate switching to pnpm where install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.

[–] techpeakedin1991@lemmy.ml 4 points 1 month ago (2 children)

Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.

[–] TechnoCat@piefed.social 3 points 1 month ago (1 children)

Minimum age would have prevented it in this case.

[–] prettygorgeous@aussie.zone 0 points 4 weeks ago

Just ask Australian how well minimum age verification works!

[–] TechnoCat@piefed.social 3 points 1 month ago

On closer inspection, preventing post-install would have fixed it too: "The attack exploited a transitive dependency, plain-crypto-js@4.2.1, which executed a postinstall script to deploy the RAT."

[–] fizzle@quokk.au 7 points 1 month ago

Doesn't seem to have been live for very long.