tinycolor and Shai-Hulud

[bryceglass]

Just posting here to raise awareness. One of the package dependencies for webawesome is tinycolor, that was one of the targeted packages in the Sept. 15 Shai-Hulud / Trufflehog npm attack.

I, unfortunately, chose that very evening on the 15th to npm install webawesome to play around with a learning project. Fortunately, my orgs security folks detected the compromise quickly (and I don't possess any useful secrets - just a UX designer trying to upskill on frontend development.)

This article breaks down the attack, and gives some guidance on how to rebuild clean: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

[GedMarc]

This was already resolved that evening yes - #1455

[GedMarc]

Use beta6

[claviska]

Hey there! Sorry you were affected by this. We were made aware of the attack within about three hours of it appearing and, despite most of us having signed off for the evening, we managed to pin tinycolor to the last known safe version and publish a new version of Web Awesome to prevent it from propagating to our users. We also posted on X, Bluesky, Threads, and Discord to warn folks.

For those who aren't in the Discord chat, here's a copy of the post:

Folks, one of the npm dependencies that Web Awesome uses for color conversions was compromised on npm three hours ago.

This will only affect you if you're using npm to install Web Awesome.

The dependency in question and details about the malicious script can be found here @ctrl/tinycolor: https://socket.dev/npm/package/@ctrl/tinycolor/overview/4.1.2

We are already working on a release that pins this dependency to 4.1.0, the last unaffected version. Please do not install Web Awesome with npm until we post a follow up here! The CDN version of Web Awesome remains unaffected and is safe to use.

We select dependencies very carefully and we don't use a lot of them in Web Awesome. Unfortunately, these types of attacks can happen to the best open source authors. We'll make sure the issue is fixed upstream and hopefully the author or npm will remove the malicious packages quickly.

A new version of Web Awesome that blocks the malicious package is deploying shortly...please standby!

Soon after, we published 3.0.0-beta.6 and, fortunately, the affected versions were removed from npm the same evening.

We take security very seriously and will continue to monitor our dependencies closely. If you have any questions or concerns, please don't hesitate to reach out through any of our channels.

Stay safe out there!

[bryceglass]

Great, quick response. I'm new to WA from (some) experience w/Shoelace, I'll have to get better-plugged-in to the various community channels. Thanks @claviska!