The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.
In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick. I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.
The attack last year wasn't me misunderstanding security. It was the sum of many, many small things (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.
edit: actually more and more thing I'm recognizing as being entirely serious (ie benelovent worms :D); satire indistinguishable from reality
> Status: Resolved (accidentally)
> Severity: Critical → Catastrophic → Somehow Fine
for a real CVE report?
Heh. I didn't even blink at that. I know a couple of open-source folks who actually packed up to buy off-grid farms in Portugal
I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:
flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc
As a nice bonus - if you get rights for xz2 you can compromise rustup.
Fwiw at least they do track Cargo.lock
The issue here isn't Alex Crichton going rogue, but rather, some malware stealing his credentials to use them to publish more malware in crates.io
In this sense, the more well known and upstanding Rust developer, the higher the risk they will be targeted by such operations
would not be difficult
Of course, crates.io has surely had some malicious packages. (I'd assume it isn't all that unlikely there could be some undiscovered right now; it's definitely large enough for something like that to slip under the radar, even if it is relatively small compared to say, NPM.) But, I think it really hasn't had its XZ backdoor moment, its left-pad, where you really get to see how well it does or doesn't handle a serious challenge. Since I have actually not published on crates.io, I'm not really sure how the security posture is, but if it's more similar to other programming language repositories than it is to Linux repos, I dunno exactly why it would be hard to believe a high-level compromise is possible and could slip in (really, anywhere, be it a build script or otherwise.). Of course, "would not be difficult" is all relative. I'm sure many of these attacks are not really all that simple, but a lot of them aren't exactly groundbreaking either. It was well executed and took quite a lot of time, sure, but there wasn't all that much about the XZ backdoor that was novel. (Except maybe the slyness with which the payload was hidden in test files. That was pretty cool.)
[1]: https://blog.rust-lang.org/2025/09/24/crates.io-malicious-cr...
It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.
I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.
I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.
But the article was funny.
Was it? I thought Zuckerberg coined this horrible phrase.
Even without the specific words, look to product teams debating tradeoffs of going to market vs. waiting for better security controls. They're pushing for faster product release every time, at pretty much every org.
Got me seriously laughing... Such a troll.
I know we're not in the era when a windows pc will happily run any autorun.inf and .EXE file found on an inserted flash drive or DVD anymore. But even so. What if it didn't even have any malicious data payload but somebody was shipping USB-A interface capacitor based usb killers?
https://www.slashgear.com/1819672/usb-killer-explained-kill-...
What if it did have data on it and came with a slick color brochure walking people through how to run the binary, or in a linux or developer specific audience, how to 'sudo' the ELF binary that lives on its filesystem?
> CI passed because the malware installed volkswagen
We need this to ocassionally make us stop and think about what we are doing.
>"Root Cause: A dog named Kubernets ate a Yubikey
Ah, yes, irresponsible to get taken in by one of the well-known classic exploits. The 'ol "distract someone with a lottery windfall & make a dongle irresistibly tasty to another person's pet". When will people learn.
> who asked us to clarify that the fish shell is not malware, it just feels that way sometimes.
And unrelated to shells...
> The author would like to remind stakeholders that the security team’s headcount request has been in the backlog since Q1 2023.
I also feel seen by this.
As an alternative, it could apt-get or dnf install 'figlet' and then overwrite the contents of /etc/motd with 'all your base are belong to us' in extremely large ASCII art font.
Technically... that's not even a joke... that really is what kicked off this entire chain of events lol.
This post reads like an actual movie lol. Someone seriously needs to make one based on this.
It has everything:
the missing key that starts the chaos, the scam nobody sees coming, one tiny mistake turning into a full-on domino disaster, sleep-deprived people making very confident bad decisions, the guy who disappeared to a farm living his best life while holding a critical piece of the puzzle... and somehow, in the final act, a completely unrelated villain accidentally saves everyone.
Imma 100% watch it..
Supply Chain problem(SCP)