Shai Hulud Is A Choice (this is about npm and Microsoft) #
I am frustrated and disappointed.
As you probably know, a widespread compromise of the npm ecosystem known as Shai Hulud has been ongoing for several months now. I'm not going to recap the compromise, that's covered in detail elsewhere.
Very few people in the world can appreciate the challenges of running the npm registry as well as I can. Call-outs are a bad look. I have already provided feedback via the private channels available to me.
Microsoft and GitHub are handling this situation poorly.
Today, I came across this marketing post. It is hard to see this and not conclude that Microsoft is allowing Shai Hulud to continue because it's useful in selling security products.
Things that could help prevent Shai Hulud compromise, in order of value:
- Staged publishes.
- Require MFA for all publishes.
- Make OIDC scalable for organizations and users with hundreds of packages.
Things that do literally nothing to prevent Shai Hulud compromise:
- Limiting key duration to 90 days.
- Microsoft Defender