Reading through the post it looks like this infects via preinstall? > The new ve... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dschofie 17 days ago \| parent \| context \| favorite \| on: Shai-Hulud Returns: Over 300 NPM Packages Infected Reading through the post it looks like this infects via preinstall? > The new versions of these packages published to the NPM registry falsely purported to introduce the Bun runtime, adding the script preinstall: node setup_bun.js along with an obfuscated bun_environment.js file.

twistedpair 17 days ago [–]

You're right. PNPM disables all install scripts by default. I was just noting one example.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact