Incident Report: CVE-2024-YIKES

For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)

> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.

I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:

flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc

As a nice bonus - if you get rights for xz2 you can compromise rustup.

Fwiw at least they do track Cargo.lock

It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."

It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.

I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.

I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.

But the article was funny.

The maintainer of left-justify receives his YubiKey from yubikey-official-store.net. It is a $4 USB drive containing a README that says “lol.”

Got me seriously laughing... Such a troll.

the Karen one gave me a good laugh :D ;) reminds me of a `make`-based build script I once got when reviewing a classmate's project - it attempted to `rm -rf` my home folder if the hostname contains `bpavuk`. that was in seventh grade!!

This is the most SCP thing I've read in a while that's not actually an SCP.

the fact that this could easily pass as real says a lot about the state of things.

Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.

Very enjoyable read, entirely too close to the mark

good thing I don't use npm or pip, just the recommended

    curl ... | bash

This would have been completely avoided if you were using bun dependency vector locking in Nix.

Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything

Kindly advice

absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.

This week has been tough. Is it the begging of CVEgeddon?

Too soon

> unrelated security researcher publishes a blog post titled “I found a supply chain attack and reported it to all the wrong people.”

ahahaha like that fiverr cloudinary bucket leak that turned out to just be a UX issue, this has me rolling

imagine a future where white-hat vs black-hat "AI" go around the web trying to patch vs exploit 0-days

and then become aware of each other

and then try to eliminate each other for decades

each escalating resource capture and writing new generations of better "AI"