48 comments

[ 0.22 ms ] story [ 62.9 ms ] thread
Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.
This is the most SCP thing I've read in a while that's not actually an SCP.
Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything

Kindly advice

For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)
Just because it's not important to pay attention to CVEs, why not waste the readers' time by creating "fictional" CVEs without a disclaimer in the first line? Just because it's not already difficult to scrape through the information and noise on this internet... especially if it appears on the front page of hackernews
As the victim of the one from last year, it wasn't particularly fun to read.

The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.

In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick. I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.

The attack last year wasn't me misunderstanding security. It was the sum of many, many small things (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.

> The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.

I'm a security geek, a clean track record means much less to me than anyone would expect. The comment from the article mentioning that there was no evidence of exploitation explains why. I would never have noticed that implication, because I don't think it exists. (And it's completely unreasonable if it does), so that's your own deal... it's not a good conclusion to take from the article.

The only thing that matters is how much any given owner cares. Are they willing to go the extra mile to make sure things get done correctly. That's the best signal about if you can trust a project. Seems like you give a shit, so I wouldn't be too hard on yourself. The people that matter can tell, (everyone who can't tell is already willing to lie so they can be safely ignored!)

> In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick.

You haven't dealt with it yet, if you want to get your attention back so you can spend it on more important things than worrying about something from the past, you gotta talk to somebody. A therapist would help the fastest, but friends and family are often just as good.

> I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.

Seriously, having been there myself it's not worth it... you're just allowing them to DoS your brain by allowing them to live rent free in your head. The only thing that matters is how seriously you take the remediation. Attention to detail, and the willingness to go the extra mile for security defects to tie up all loose ends is what matters. It's not your job to fix everybody's issue yourself, even if they don't or can't. You still have to enjoy life, or you burn out, and some idiot that doesn't care will take your place. Then they really win.

You're not responsible for the security or stability of anybody using nightly packages. (Only maintainer signed and tagged releases)

> The attack last year wasn't me misunderstanding security. It was the sum of many, many small things

so, a misunderstanding of how the little things actually impact security?

> (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.

Those other personal things are the kinda thin that being able to enjoy a vacation make much easier. You can't help anybody if you don't put on your own mask first... Well... You definitely can, you're obviously trying to do now, but it's needless harder.

Npm, and the JavaScript ecosystem is a fucking joke. It's a mistake to blame yourself (or any maintainer) for how difficult it is to meet the bar for both security and accessibility. Worrying about the difficulty in consistentenly demonstrating the perfection required for security is a fool's errand, and your allowing the bad guys to get what they want by letting it live rent free in your head, it won't go away for as long as you worry about it more than you talk about it.

And I say all of that as the person who has multiple times, made the argument that it's perfectly fine to name an engineer and their decisions or incompetence as the root cause analysis in an official incident report. (Pilot Error is a thing): If I thought you were r...

Contributing factors are entirely serious

edit: actually more and more thing I'm recognizing as being entirely serious (ie benelovent worms :D); satire indistinguishable from reality

i got half way through before i realized
(comment deleted)
absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.
It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."

It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.

I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.

I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.

But the article was funny.

We don't need hindsight for the problems of supply chain security to be obvious. Security people were writing and doing talks about this stuff over 10 years ago, just (like most things in security) things start getting addressed once the pressure of incidents gets high enough :)
This week has been tough. Is it the begging of CVEgeddon?
(comment deleted)
(comment deleted)
Very enjoyable read, entirely too close to the mark
This would have been completely avoided if you were using bun dependency vector locking in Nix.
(comment deleted)
> unrelated security researcher publishes a blog post titled “I found a supply chain attack and reported it to all the wrong people.”

ahahaha like that fiverr cloudinary bucket leak that turned out to just be a UX issue, this has me rolling

The maintainer of left-justify receives his YubiKey from yubikey-official-store.net. It is a $4 USB drive containing a README that says “lol.”

Got me seriously laughing... Such a troll.

imagine a future where white-hat vs black-hat "AI" go around the web trying to patch vs exploit 0-days

and then become aware of each other

and then try to eliminate each other for decades

each escalating resource capture and writing new generations of better "AI"

good thing I don't use npm or pip, just the recommended

    curl ... | bash
> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.

I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:

flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc

As a nice bonus - if you get rights for xz2 you can compromise rustup.

Fwiw at least they do track Cargo.lock

the fact that this could easily pass as real says a lot about the state of things.
the Karen one gave me a good laugh :D ;) reminds me of a `make`-based build script I once got when reviewing a classmate's project - it attempted to `rm -rf` my home folder if the hostname contains `bpavuk`. that was in seventh grade!!
According to Pangram, this is likely AI generated, surprised that no one has pointed this out
I never used Pangram before today, but since I've seen it mentioned many times on HN and I enjoyed reading the OP, I decided to try it. I am only using the free plan so let me know if I'm missing something. I am assuming the parent was referring to the tool hosted at pangram.com and not some other tool of the same name.

Pangram indeed claims the OP is 76% AI-generated. It has "high confidence" (EDIT: some parts are "medium confidence") that the early portions of the text were created by AI, and "medium confidence" that some of the later potions were written by a human. EDIT: I was especially dismayed to see that the dog might have been an AI creation :(

When I use the "supporting evidence" option, the main piece of evidence Pangram provides is the frequent use of em-dashes. Each timestamp is followed by an em-dash. Personally I think the em-dashes could be a copy-pasted em-dash or inserted by a markdown to HTML converter. nesbitt.io is apparently using Jekyll [0] - any Jekyll users know anything about this??

Pangram's "supporting evidence" feature also considers → and € to be "unusual Unicode".

Personally, to me it looks like the "supporting evidence" feature still needs some work because Pangram's AI detection is probably a lot more sophisticated than a grep for Unicode symbols. In fact the feature even has a notice claiming that "These patterns aren't used to determine our AI score; they help you see why AI text often reads differently."

As for the rest of the OP's content, it would be interesting to compare the Pangram results to a timeline of a real vulnerability. I tried doing so, but exhausted my free "Pangram credits" - apparently the first 1000 words of this article [1] about the log4j vulnerability is considered 100% human.

[0] https://github.com/andrew/nesbitt.io

[1] https://www.csoonline.com/article/571797/the-apache-log4j-vu...

Maintainer uses AI to find Yubikey's site.

Hacker uses AI to research countries without extradition to US.

Cops use AI to analyze ransom note. Unfortunately, because the note confidently states that Vietnam has no extradition to the US, the AI recommends paying ransom.

Vietnam's currency, the Dong, confused the AI..

'The changelog reads “performance improvements.”' was the truest part for me. Surely what we're releasing is the most fundamental thing to understand, yet almost every single app update I see is this or something jokey that really means "don't know" or "don't care"