Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: Auto-Unpublish NPM Packages Published Outside CI (github.com/telophasehq)
6 points by ethanblackburn 6 months ago | hide | past | favorite | 2 comments
A lot of vendors and open-source projects shared guidance on protecting users from downloading malicious NPM packages after the Shai-Hulud campaign — but almost nothing focused on protecting maintainers from accidentally (or maliciously) publishing them.

So we built a small tool that continuously monitors your NPM packages and automatically unpublishes any version not produced by your CI workflow.



> keeps your release process clean, reproducible

How does it do either of these two things, exactly?

> and locked down

It doesn't lock anything down, in fact it only serves a purpose if your CI isn't locked down. Your npm token should not be visible to anything except npm. If it is, then you've got far bigger problems.

At best, this only serves as a reactionary warning / damage control in case your CI is compromised, i.e. after you've already been pwned. Which is all well and good, don't get me wrong, but pretending it "protects" you from anything is giving a false sense of security.


Fair points — this isn’t a preventative control and it doesn’t “lock down” your CI. If an attacker has your NPM token, you’ve already been pwned.

The goal is to stop the spread. This will quickly unpublish a library and alert you, so no one else is downloading the compomised package, like what happened with posthog.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: