For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)
show comments
athrowaway3z
> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.
I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:
flate2
tar
curl-sys
libgit2-sys
openssl-sys
libsqlite3-sys
blake3
libz-sys
zstd-sys
cc
As a nice bonus - if you get rights for xz2 you can compromise rustup.
Fwiw at least they do track Cargo.lock
show comments
david_shaw
It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."
It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.
I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.
I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.
But the article was funny.
show comments
ObiKenobi
The maintainer of left-justify receives his YubiKey from yubikey-official-store.net. It is a $4 USB drive containing a README that says “lol.”
Got me seriously laughing... Such a troll.
show comments
albert_e
Brilliant satire. So many gems.
> CI passed because the malware installed volkswagen
We need this to ocassionally make us stop and think about what we are doing.
ineedasername
>"The legitimate maintainer has won €2.3 million in the EuroMillions and is researching goat farming in Portugal..."
>"Root Cause: A dog named Kubernets ate a Yubikey
Ah, yes, irresponsible to get taken in by one of the well-known classic exploits. The 'ol "distract someone with a lottery windfall & make a dongle irresistibly tasty to another person's pet". When will people learn.
show comments
EdwardDiego
As a Fish aficionado (Afishionado?) - I feel both attacked and seen by this:
> who asked us to clarify that the fish shell is not malware, it just feels that way sometimes.
And unrelated to shells...
> The author would like to remind stakeholders that the security team’s headcount request has been in the backlog since Q1 2023.
I also feel seen by this.
show comments
freakynit
Root Cause: "A dog named Kubernetes ate a YubiKey."
Technically... that's not even a joke... that really is what kicked off this entire chain of events lol.
This post reads like an actual movie lol. Someone seriously needs to make one based on this.
It has everything:
the missing key that starts the chaos, the scam nobody sees coming, one tiny mistake turning into a full-on domino disaster, sleep-deprived people making very confident bad decisions, the guy who disappeared to a farm living his best life while holding a critical piece of the puzzle... and somehow, in the final act, a completely unrelated villain accidentally saves everyone.
Imma 100% watch it..
red_admiral
This is the most SCP thing I've read in a while that's not actually an SCP.
show comments
bpavuk
the Karen one gave me a good laugh :D ;) reminds me of a `make`-based build script I once got when reviewing a classmate's project - it attempted to `rm -rf` my home folder if the hostname contains `bpavuk`. that was in seventh grade!!
vsgherzi
Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.
show comments
mac3n
good thing I don't use npm or pip, just the recommended
curl ... | bash
show comments
jruohonen
If this:
"... old laptop, and 'something Kubernetes threw up that looked important' were stolen from his apartment ..."
was related to:
"... enters his nmp credentials on the phishing site ..."
Then I suppose it is really interesting.
simon84
Link this with the fact that anyone can use any name/email in commits and appear as the legitimate contributor on GitHub and it completes the chain.
Love it :)
wodahs1
Maintainer uses AI to find Yubikey's site.
Hacker uses AI to research countries without extradition to US.
Cops use AI to analyze ransom note. Unfortunately, because the note confidently states that Vietnam has no extradition to the US, the AI recommends paying ransom.
Vietnam's currency, the Dong, confused the AI..
show comments
swiftcoder
Very enjoyable read, entirely too close to the mark
notnmeyer
the fact that this could easily pass as real says a lot about the state of things.
show comments
abbaselmas
A clickbait title should be: "A dog named Kubernetes ate a YubiKey."
lschueller
Please someone make a mockumentary out of this.
nikanj
Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything
Kindly advice
show comments
baq
my sides
the kubernetes reveal had me literally in tears
f4c39012
'The changelog reads “performance improvements.”' was the truest part for me. Surely what we're releasing is the most fundamental thing to understand, yet almost every single app update I see is this or something jokey that really means "don't know" or "don't care"
danielfalbo
absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.
mrinterweb
left-justify !! LOL. History really does repeat its self. Remember left-pad supply chain security panic?
TZubiri
This would have been completely avoided if you were using bun dependency vector locking in Nix.
show comments
danilocesar
This week has been tough. Is it the begging of CVEgeddon?
worthless-trash
Not a valid CVE number.
bakugo
> Day 1, 03:14 UTC — Marcus Chen, maintainer of left-justify
For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)
> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.
I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:
flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc
As a nice bonus - if you get rights for xz2 you can compromise rustup.
Fwiw at least they do track Cargo.lock
It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."
It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.
I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.
I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.
But the article was funny.
The maintainer of left-justify receives his YubiKey from yubikey-official-store.net. It is a $4 USB drive containing a README that says “lol.”
Got me seriously laughing... Such a troll.
Brilliant satire. So many gems.
> CI passed because the malware installed volkswagen
We need this to ocassionally make us stop and think about what we are doing.
>"The legitimate maintainer has won €2.3 million in the EuroMillions and is researching goat farming in Portugal..."
>"Root Cause: A dog named Kubernets ate a Yubikey
Ah, yes, irresponsible to get taken in by one of the well-known classic exploits. The 'ol "distract someone with a lottery windfall & make a dongle irresistibly tasty to another person's pet". When will people learn.
As a Fish aficionado (Afishionado?) - I feel both attacked and seen by this:
> who asked us to clarify that the fish shell is not malware, it just feels that way sometimes.
And unrelated to shells...
> The author would like to remind stakeholders that the security team’s headcount request has been in the backlog since Q1 2023.
I also feel seen by this.
Root Cause: "A dog named Kubernetes ate a YubiKey."
Technically... that's not even a joke... that really is what kicked off this entire chain of events lol.
This post reads like an actual movie lol. Someone seriously needs to make one based on this.
It has everything:
the missing key that starts the chaos, the scam nobody sees coming, one tiny mistake turning into a full-on domino disaster, sleep-deprived people making very confident bad decisions, the guy who disappeared to a farm living his best life while holding a critical piece of the puzzle... and somehow, in the final act, a completely unrelated villain accidentally saves everyone.
Imma 100% watch it..
This is the most SCP thing I've read in a while that's not actually an SCP.
the Karen one gave me a good laugh :D ;) reminds me of a `make`-based build script I once got when reviewing a classmate's project - it attempted to `rm -rf` my home folder if the hostname contains `bpavuk`. that was in seventh grade!!
Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.
good thing I don't use npm or pip, just the recommended
If this:
"... old laptop, and 'something Kubernetes threw up that looked important' were stolen from his apartment ..."
was related to:
"... enters his nmp credentials on the phishing site ..."
Then I suppose it is really interesting.
Link this with the fact that anyone can use any name/email in commits and appear as the legitimate contributor on GitHub and it completes the chain. Love it :)
Maintainer uses AI to find Yubikey's site.
Hacker uses AI to research countries without extradition to US.
Cops use AI to analyze ransom note. Unfortunately, because the note confidently states that Vietnam has no extradition to the US, the AI recommends paying ransom.
Vietnam's currency, the Dong, confused the AI..
Very enjoyable read, entirely too close to the mark
the fact that this could easily pass as real says a lot about the state of things.
A clickbait title should be: "A dog named Kubernetes ate a YubiKey."
Please someone make a mockumentary out of this.
Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything
Kindly advice
my sides
the kubernetes reveal had me literally in tears
'The changelog reads “performance improvements.”' was the truest part for me. Surely what we're releasing is the most fundamental thing to understand, yet almost every single app update I see is this or something jokey that really means "don't know" or "don't care"
absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.
left-justify !! LOL. History really does repeat its self. Remember left-pad supply chain security panic?
This would have been completely avoided if you were using bun dependency vector locking in Nix.
This week has been tough. Is it the begging of CVEgeddon?
Not a valid CVE number.
> Day 1, 03:14 UTC — Marcus Chen, maintainer of left-justify
The dreaded Marcus Chen strikes again.
https://www.reddit.com/r/ClaudeAI/comments/1o3b4q2/just_rece...
https://news.ycombinator.com/item?id=47153675
According to Pangram, this is likely AI generated, surprised that no one has pointed this out
Too soon
nice
> unrelated security researcher publishes a blog post titled “I found a supply chain attack and reported it to all the wrong people.”
ahahaha like that fiverr cloudinary bucket leak that turned out to just be a UX issue, this has me rolling
imagine a future where white-hat vs black-hat "AI" go around the web trying to patch vs exploit 0-days
and then become aware of each other
and then try to eliminate each other for decades
each escalating resource capture and writing new generations of better "AI"