Josh Junon
@bad-at-computer.bsky.social
Coding @ github.com/qix-, making an operating system @ github.com/oro-os
Hope everyone had a fun and safe Halloween 🎃
November 1, 2025 at 11:19 AM
Hope everyone had a fun and safe Halloween 🎃
Hugops going out to everyone affected by the worm today. Ping me to DM and AMA if you've been affected. Will guide and assist as best as I can.
September 16, 2025 at 1:26 PM
Hugops going out to everyone affected by the worm today. Ping me to DM and AMA if you've been affected. Will guide and assist as best as I can.
debug: CVE-2025-59144
error-ex: CVE-2025-59330
color-string: CVE-2025-59142
backslash: CVE-2025-59140
is-arrayish: CVE-2025-59331
simple-swizzle: CVE-2025-59141
color: CVE-2025-59143
color-convert: CVE-2025-59162
color-name: CVE-2025-59145 <pending publication>
Chalk pkgs still pending; bear with.
error-ex: CVE-2025-59330
color-string: CVE-2025-59142
backslash: CVE-2025-59140
is-arrayish: CVE-2025-59331
simple-swizzle: CVE-2025-59141
color: CVE-2025-59143
color-convert: CVE-2025-59162
color-name: CVE-2025-59145 <pending publication>
Chalk pkgs still pending; bear with.
September 15, 2025 at 7:21 PM
debug: CVE-2025-59144
error-ex: CVE-2025-59330
color-string: CVE-2025-59142
backslash: CVE-2025-59140
is-arrayish: CVE-2025-59331
simple-swizzle: CVE-2025-59141
color: CVE-2025-59143
color-convert: CVE-2025-59162
color-name: CVE-2025-59145 <pending publication>
Chalk pkgs still pending; bear with.
error-ex: CVE-2025-59330
color-string: CVE-2025-59142
backslash: CVE-2025-59140
is-arrayish: CVE-2025-59331
simple-swizzle: CVE-2025-59141
color: CVE-2025-59143
color-convert: CVE-2025-59162
color-name: CVE-2025-59145 <pending publication>
Chalk pkgs still pending; bear with.
I have the NPM logs. Not much unexpected except an IP address that wasn't previously known.
It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.
It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.
September 15, 2025 at 4:10 PM
I have the NPM logs. Not much unexpected except an IP address that wasn't previously known.
It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.
It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.
Hi, I missed error-ex in the publishing spree the other day, will publish a new version shortly. My apologies, been another round of busy days/weekend.
September 15, 2025 at 2:47 PM
Hi, I missed error-ex in the publishing spree the other day, will publish a new version shortly. My apologies, been another round of busy days/weekend.
Still waiting for access to account logs for the post mortem. Trying to get it out ASAP, sorry to those who need it. Doing my best to get it done.
September 15, 2025 at 7:47 AM
Still waiting for access to account logs for the post mortem. Trying to get it out ASAP, sorry to those who need it. Doing my best to get it done.
All packages have been published over. Please let me know if I broke you somehow and I'll get it fixed ASAP.
Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).
Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).
September 13, 2025 at 5:45 PM
All packages have been published over. Please let me know if I broke you somehow and I'll get it fixed ASAP.
Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).
Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).
Half of the packages have been published now, slowly working through them. If you see anything messed up please let me know.
September 13, 2025 at 4:38 PM
Half of the packages have been published now, slowly working through them. If you see anything messed up please let me know.
Took the first real break last night in a week. Highly necessary. Thanks to those who reached out for npm contacts, sounds like things will get handled today.
September 13, 2025 at 2:17 PM
Took the first real break last night in a week. Highly necessary. Thanks to those who reached out for npm contacts, sounds like things will get handled today.
Post mortem is still on hold until I can get everyone secure again. Npm has not been helpful and I'm currently blocked.
I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.
I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.
September 12, 2025 at 4:58 PM
Post mortem is still on hold until I can get everyone secure again. Npm has not been helpful and I'm currently blocked.
I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.
I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.
Does anyone have a contact at npm who can contact me directly? This is getting silly.
Non sequiturs and hours between responses is so unprofessional I'm getting irritated.
People are still affected by cached versions with malware and once again there's nothing I can do to help them.
Non sequiturs and hours between responses is so unprofessional I'm getting irritated.
People are still affected by cached versions with malware and once again there's nothing I can do to help them.
September 12, 2025 at 3:46 PM
Does anyone have a contact at npm who can contact me directly? This is getting silly.
Non sequiturs and hours between responses is so unprofessional I'm getting irritated.
People are still affected by cached versions with malware and once again there's nothing I can do to help them.
Non sequiturs and hours between responses is so unprofessional I'm getting irritated.
People are still affected by cached versions with malware and once again there's nothing I can do to help them.
Hi, something still isn't right with my account configuration. Going to hold off on the package updates until I can receive a response from npm.
There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.
There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.
September 12, 2025 at 2:43 PM
Hi, something still isn't right with my account configuration. Going to hold off on the package updates until I can receive a response from npm.
There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.
There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.
Reposted by Josh Junon
Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.
www.aikido.dev/blog/we-got-...
www.aikido.dev/blog/we-got-...
We Got Lucky: The Supply Chain Disaster That Almost Happened
Eighteen widely used open source packages were compromised, downloaded billions of times and embedded across nearly every cloud environment. The community dodged a bullet. But this close call shows ju...
www.aikido.dev
September 12, 2025 at 2:10 PM
Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.
www.aikido.dev/blog/we-got-...
www.aikido.dev/blog/we-got-...
⚠️ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that.
Will start in the next hour and will be taking things very slowly.
Chalk repositories are not included in this, as Sindre has already taken care of them.
I am terrified, lmk if I mess up.
Will start in the next hour and will be taking things very slowly.
Chalk repositories are not included in this, as Sindre has already taken care of them.
I am terrified, lmk if I mess up.
September 12, 2025 at 1:10 PM
⚠️ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that.
Will start in the next hour and will be taking things very slowly.
Chalk repositories are not included in this, as Sindre has already taken care of them.
I am terrified, lmk if I mess up.
Will start in the next hour and will be taking things very slowly.
Chalk repositories are not included in this, as Sindre has already taken care of them.
I am terrified, lmk if I mess up.
I feel as though I should write a runbook for other maintainers who are in this situation to help guide them through the process of dealing with a situation like this.
Thinking back, I realize now that "what's next" was the prevailing unanswered question at several points throughout it.
Thinking back, I realize now that "what's next" was the prevailing unanswered question at several points throughout it.
September 12, 2025 at 10:50 AM
I feel as though I should write a runbook for other maintainers who are in this situation to help guide them through the process of dealing with a situation like this.
Thinking back, I realize now that "what's next" was the prevailing unanswered question at several points throughout it.
Thinking back, I realize now that "what's next" was the prevailing unanswered question at several points throughout it.
Post-mortem to come tomorrow, along with publishing a new version for all affected packages to help cache-bust some of you on e.g. private registries or mirrors.
Thank you all again for the patience and for the kindness.
Thank you all again for the patience and for the kindness.
September 11, 2025 at 8:48 PM
Post-mortem to come tomorrow, along with publishing a new version for all affected packages to help cache-bust some of you on e.g. private registries or mirrors.
Thank you all again for the patience and for the kindness.
Thank you all again for the patience and for the kindness.
Hello Deno users - if you're still getting one of the infected packages, please clear out your DENO_DIR.
September 11, 2025 at 7:31 AM
Hello Deno users - if you're still getting one of the infected packages, please clear out your DENO_DIR.
The memes have been fire btw, thank you 🙏
September 9, 2025 at 4:17 PM
The memes have been fire btw, thank you 🙏
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
September 9, 2025 at 2:10 PM
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Everything looks alright, please ping me if something (of mine) looks out of place.
Thank you to everyone for the kind words of support, it really did help ❤️ Time for bed.
Thank you to everyone for the kind words of support, it really did help ❤️ Time for bed.
September 8, 2025 at 10:07 PM
Everything looks alright, please ping me if something (of mine) looks out of place.
Thank you to everyone for the kind words of support, it really did help ❤️ Time for bed.
Thank you to everyone for the kind words of support, it really did help ❤️ Time for bed.
NPM account restored. My packages should be back to normal; going to do a quick skim to make sure before calling it a day.
NPM doesn't show audit logs so unfortunately it's on them to release any information I haven't already given myself.
Post-mortem to come tomorrow. Thank you everyone <3
NPM doesn't show audit logs so unfortunately it's on them to release any information I haven't already given myself.
Post-mortem to come tomorrow. Thank you everyone <3
September 8, 2025 at 9:47 PM
NPM account restored. My packages should be back to normal; going to do a quick skim to make sure before calling it a day.
NPM doesn't show audit logs so unfortunately it's on them to release any information I haven't already given myself.
Post-mortem to come tomorrow. Thank you everyone <3
NPM doesn't show audit logs so unfortunately it's on them to release any information I haven't already given myself.
Post-mortem to come tomorrow. Thank you everyone <3
For anyone who has checks or can otherwise use this information: I won't be publishing anything over the next 48 hours minimum, probably the next week.
Still have not regained access though npm is starting to help with that.
Still have not regained access though npm is starting to help with that.
September 8, 2025 at 9:29 PM
For anyone who has checks or can otherwise use this information: I won't be publishing anything over the next 48 hours minimum, probably the next week.
Still have not regained access though npm is starting to help with that.
Still have not regained access though npm is starting to help with that.
NPM is now working to restore my access to the account. Will need to take a break for the evening now that things have settled and I've been in pain all day. Will begin a full retro and post-mortem tomorrow (sorry for the delay).
Feel free to send any Q's my direction in the meantime.
Feel free to send any Q's my direction in the meantime.
September 8, 2025 at 9:09 PM
NPM is now working to restore my access to the account. Will need to take a break for the evening now that things have settled and I've been in pain all day. Will begin a full retro and post-mortem tomorrow (sorry for the delay).
Feel free to send any Q's my direction in the meantime.
Feel free to send any Q's my direction in the meantime.
Yes, there's at least one other confirmed package that's been hit. I would imagine I'm probably the first / 'loudest' that has been affected, but despite thinking so earlier I don't think this was targeted. They must have filtered based on download count or something to choose which packages to hit.
Our malware systems at Sonatype seem to be picking these up coming from other, not yet reported accounts. This attack seems to have landed more publishers as this unfolds. Check your accounts folks while we work with others to contain.
September 8, 2025 at 8:19 PM
Yes, there's at least one other confirmed package that's been hit. I would imagine I'm probably the first / 'loudest' that has been affected, but despite thinking so earlier I don't think this was targeted. They must have filtered based on download count or something to choose which packages to hit.
To be clear for anyone curious (sorry, should have syndicated this sooner):
Only my NPM account was breached. Password is not shared. Repositories were not touched.
Only my NPM account was breached. Password is not shared. Repositories were not touched.
September 8, 2025 at 8:06 PM
To be clear for anyone curious (sorry, should have syndicated this sooner):
Only my NPM account was breached. Password is not shared. Repositories were not touched.
Only my NPM account was breached. Password is not shared. Repositories were not touched.