Google · GitHub · Twitter · nesbitt.io
Incident Report: CVE-2024-YIKES
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
Executive Summary: A security incident occurred.
Key facts
- Report filed: 03:47 UTC Status: Resolved (accidentally) Severity: Critical → Catastrophic → Somehow Fine Duration: 73 hours Affected systems: Yes
- Day 2, 08:15 UTC, Security researcher Karen Oyelaran notices the malicious commit after her personal laptop triggers the payload
- Day 2, 10:47 UTC, The-response Slack channel briefly pivots to a 45-message thread about whether “compromised” should be spelled with a ‘z’ in American English
- Day 1, 13:15 UTC, A support ticket titled “why is your SDK exfiltrating my.npmrc” is opened against left-justify
Summary
Report filed: 03:47 UTC Status: Resolved (accidentally) Severity: Critical → Catastrophic → Somehow Fine Duration: 73 hours Affected systems: Yes. A compromised dependency in the JavaScript ecosystem led to credential theft, which enabled a supply chain attack on a Rust compression library, which was vendored into a Python build tool, which shipped malware to approximately 4 million developers before being inadvertently patched by an unrelated cryptocurrency mining worm. Day 1, 03:14 UTC, Marcus Chen, maintainer of left-justify (847 million weekly downloads), reports on Twitter that his transit pass, an old laptop, and “something Kubernetes threw up that looked important” were stolen from his apartment. Day 1, 09:22 UTC, Chen attempts to log into the nmp registry. Day 1, 09:31 UTC, Chen enters his nmp credentials on the phishing site.