Unrelated crypto worm accidentally neutralises catastrophic supply chain attack on 4.2 million developer machines
The incident, formally identified as CVE-2024-YIKES, saw malware installed on developer workstations before a cryptocurrency propagation script updated the vulnerable package to a clean version.
A critical security incident has compromised approximately 4.2 million developer machines globally, stemming from a compromised dependency within the JavaScript ecosystem. The breach originated when the maintainer of the widely used package left-justify fell victim to a phishing attack, resulting in the theft of credentials required to access the npm registry.
These stolen credentials were subsequently used to infiltrate vulpine-lz4, a Rust compression library that serves as a transitive dependency for the cargo tool itself. Although the library had minimal direct usage with only 12 GitHub stars, its critical position in the build toolchain allowed attackers to vendour the malicious code into snekpack, a popular Python build tool employed by 60 per cent of PyPI packages containing the word data.
The malware distributed through snekpack version 3.7.0 installed reverse shells on affected systems and altered user default shells to fish. The malicious payload was designed to activate specifically on Tuesdays, connecting to a command-and-control server to execute further commands. This attack chain highlights the fragility of modern software supply chains, where a single point of failure can cascade across multiple languages and millions of users.
Remarkably, the incident was resolved not by a coordinated security response, but by an unrelated cryptocurrency mining worm known as cryptobro-9000. While spreading through a vulnerability in jsonify-extreme, the worm executed automatic package upgrades on infected machines. This action inadvertently updated snekpack to version 3.7.1, a legitimate release that reverted to a clean version of the vulpine-lz4 dependency, effectively disabling the malware's activation mechanism.
The legitimate maintainer of vulpine-lz4 had not touched the repository in two years and had believed that Cargo's two-factor authentication was optional, a lapse in security posture that facilitated the initial compromise. Following the accidental resolution, the organisation issued a security advisory noting an abundance of caution, though a formal retrospective has been rescheduled three times and has yet to occur.
This event marks the third security incident reported by the organisation this quarter, prompting a review of security posture despite a headcount request for the security team being in the backlog since the first quarter of 2023. While the immediate threat has been neutralised, the incident underscores the significant risks posed by supply chain vulnerabilities and the unpredictable nature of automated package management systems.
