Critical Supply Chain Attack Affects 4 Million Developers
Original: Incident Report: CVE-2024-YIKES
Why This Matters
Highlights critical vulnerabilities in modern software supply chain dependencies
A compromised JavaScript dependency led to a supply chain attack affecting vulpine-lz4 Rust library and snekpack Python build tool, impacting approximately 4 million developers before being accidentally resolved by a cryptocurrency mining worm after 73 hours.
The incident began when Marcus Chen, maintainer of left-justify JavaScript package (847 million weekly downloads), had his laptop stolen and fell victim to a phishing site while trying to replace his 2FA key. Attackers published a malicious version that exfiltrated credentials including those for vulpine-lz4, a Rust compression library. The compromised Rust library then infected snekpack, a Python build tool used by 60% of PyPI packages containing 'data' in their name. The malware installed SSH keys and reverse shells on developer machines. Security researcher Karen Oyelaran discovered the attack but received no response from the maintainer, who had won €2.3 million in lottery and was researching goat farming. The attack was accidentally resolved when an unrelated cryptocurrency mining worm interfered with the malicious payload.