We ended up migrating to Bun to strengthen security as similar NPM vulnerabilities are bound to happen. Also, blazing fast 🚀
Like a lot of other developers, I opened up my laptop this morning to the disturbing news of Shai-Hulud malware compromising the entir NPM eco system.
Luckily, we had zero impact on our end, but these attacks are always a great opportunity to improve and ensure we stay safe in the future.
Instant mitigation
- Check if any of our engineers have been compromised:
for user in $(gh api orgs/YOUR_ORG/members --paginate | jq -r '.[] | .login'); do
echo "Checking $user"
gh repo list $user --source --json name,description --jq '.[] | select(.description | contains("Sha1-Hulud: The Second Coming")) | .name'
done- Ask all engineers to not run
npm installand stop all CI/CD pipelines until things are under control
Long-term mitigation
After ensuring that we were safe for now, we started looking into long-term solutions.
Ideas:
- Block all lifecycle scripts - not ideal as we have cases where it's needed
- Pin all dependencies to a specific version - a lot of work and it means more manual work to stay up to date
- Switch to a package manager with better security defaults
At first I attempted to use Lavamoat/allow-scripts to allow specific packages to run scripts, but it required too much work and the developer experience was suboptimal.
So instead, we decided to migrate from NPM to Bun (but only as a package manager) as we then get:
trustedDependencies(and proper user feedback about blocked scripts)minimumReleaseAge(e.g. only install package versions published at least X days ago)- Speed 🚀
- A lot of other improvements around DevEx
As an alternative if you for some reason can't go Bun, pnpm has stepped up in this area and also supports both of these security features.
To be honest, I have been waiting for a good reason to prioritise migrating to Bun and this was it... So thanks evil hackers, I guess? ¯\_(ツ)_/¯