Incident Report: CVE-2024-YIKES
5 hours ago
- #supply-chain-attack
- #malware
- #dependency-vulnerability
- A compromised JavaScript dependency led to a major supply chain attack affecting around 4 million developers, starting with a stolen transit pass and laptop leading to credential theft.
- Attackers published malicious updates to 'left-justify' and 'vulpine-lz4', which were vendored into the Python tool 'snekpack', spreading malware that added SSH keys and changed shells.
- The incident was accidentally resolved by an unrelated cryptocurrency mining worm that updated 'snekpack' to a clean version during its propagation, neutralizing the threat.
- Contributing factors included weak authentication practices, AI linking to phishing sites, over-reliance on small transitive dependencies, and poor CI/CD hygiene.