For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)
Yeah. Me too. It looked like a spoof when I started reading, but as I went on it didn't seem to be increasing in it's implausibility.
philipwhiuk 5 hours ago [-]
'nmp'
INTPenis 4 hours ago [-]
Node's Malicious Packages.
athrowaway3z 3 hours ago [-]
> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.
I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:
flate2
tar
curl-sys
libgit2-sys
openssl-sys
libsqlite3-sys
blake3
libz-sys
zstd-sys
cc
As a nice bonus - if you get rights for xz2 you can compromise rustup.
Fwiw at least they do track Cargo.lock
david_shaw 5 hours ago [-]
It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."
It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.
I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.
I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.
But the article was funny.
saint_yossarian 4 hours ago [-]
> But for a long time (and maybe even still), a hacker creed was "move fast and break things."
Was it? I thought Zuckerberg coined this horrible phrase.
I love that article, but the words "move", "fast", and "break" don't appear in it.
david_shaw 4 hours ago [-]
He certainly popularized it (maybe coined it), but I've seen a lot of organizations and developers repeat that mantra.
Even without the specific words, look to product teams debating tradeoffs of going to market vs. waiting for better security controls. They're pushing for faster product release every time, at pretty much every org.
cassianoleal 4 hours ago [-]
In any case, not really a hacker's creed. This has always been withinin the realm of corporations, especially Silicon Valley or adjacent.
asah 4 hours ago [-]
MFABT is about survival. Don't hate the player, hate the game.
walrus01 2 hours ago [-]
Sir, this is not /r/linkedinlunatics/
jazzyjackson 3 hours ago [-]
Don't know any hackers who talk like this. More "if you don't like the rules, play a different game"
cwillu 3 hours ago [-]
I will absolutely hate the players that chose the game and designed the rules.
dxdm 3 hours ago [-]
Por que no los dos? Some players seem very gleeful.
cassianoleal 3 hours ago [-]
I'm not sure what you're responding to.
EdwardDiego 1 hours ago [-]
As a Fish aficionado (Afishionado?) - I feel both attacked and seen by this:
> who asked us to clarify that the fish shell is not malware, it just feels that way sometimes.
And unrelated to shells...
> The author would like to remind stakeholders that the security team’s headcount request has been in the backlog since Q1 2023.
I also feel seen by this.
walrus01 31 minutes ago [-]
> As a Fish aficionado (Afishionado?) - I feel both attacked and seen by this:
As an alternative, it could apt-get or dnf install 'figlet' and then overwrite the contents of /etc/motd with 'all your base are belong to us' in extremely large ASCII art font.
ObiKenobi 3 hours ago [-]
The maintainer of left-justify receives his YubiKey from yubikey-official-store.net. It is a $4 USB drive containing a README that says “lol.”
Got me seriously laughing... Such a troll.
sdenton4 3 hours ago [-]
Yeah that's great. I love that plugging in the USB device from the phishing site is, itself, another attack vector...
walrus01 37 minutes ago [-]
I actually wonder if somebody used a fake identity to set up an account with a warehousing/shipment fulfillment company that stocks things and ships them, then set up the appropriate EDI pipeline to send shipping orders to it... What would be the results if a decently budgeted adversary made something attractive looking that shipped malicious USB flash drives to anyone that requested one.
I know we're not in the era when a windows pc will happily run any autorun.inf and .EXE file found on an inserted flash drive or DVD anymore. But even so. What if it didn't even have any malicious data payload but somebody was shipping USB-A interface capacitor based usb killers?
What if it did have data on it and came with a slick color brochure walking people through how to run the binary, or in a linux or developer specific audience, how to 'sudo' the ELF binary that lives on its filesystem?
red_admiral 5 hours ago [-]
This is the most SCP thing I've read in a while that's not actually an SCP.
hacker_homie 5 hours ago [-]
Ah yes a very rare:
Supply Chain problem(SCP)
Aachen 4 hours ago [-]
Thanks, I totally read that as secure copy despite the context
the Karen one gave me a good laugh :D ;) reminds me of a `make`-based build script I once got when reviewing a classmate's project - it attempted to `rm -rf` my home folder if the hostname contains `bpavuk`. that was in seventh grade!!
vsgherzi 5 hours ago [-]
Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.
vsgherzi 5 hours ago [-]
Crates has also been making efforts to include rust sec, but in addition to the above I would like the community to shy away from many small dependencies to a few larger ones just as tokio has
fleventynine 5 hours ago [-]
Many small crates published by large, trustworthy projects are fine and preferable to one large crate that "does everything".
zbentley 4 hours ago [-]
Why?
Honest question. Commons, Guava, Spring, and more seem to take this approach successfully (as in, the drawbacks are outweighed by the benefits in convenience, quality, and security) in Java. Are benefits in binary size really worth that complexity?
And before someone says “just have a better standard library”, think about why that is considered a solution here. Languages with a large and capable standard library remain more secure than the supply-chain fiascos on NPM because they have a) very large communities reviewing and participating in changes and b) have extremely regulated and careful release processes. Those things aren’t likely to be possible in most small community libraries.
pornel 1 hours ago [-]
Why? It's the essence of "Simple Made Easy": you don't have other code to complect with. You have a smaller interface, focused on a singular goal. When a library has to work as a standalone project, it can't be accidentally entangled with other components of a larger project.
Smaller implementations are also easier to review against malware, because there are fewer places to hide. You don't have to guess how a component may interact with all the other parts of a large framework, because there aren't any.
There are also practical Rust-specific concerns. Fine-grained code reuse helps with compile times (a smaller component can be reused in more projects, and more crates increase build parallelism).
It makes testing easier. Rust doesn't have enough dynamic monkey-patching for mocking of objects, so testing of code buried deep in a monolith is tricky. Splitting code into small libraries surfaces interfaces that are easily testable in isolation.
It helps with semver. A semver-major upgrade of one large library that everyone uses requires everyone to upgrade the whole thing at the same time, which can stall like the Python 2-to-3 transition. Splitting a monolith into smaller components allows versioning them separately, so the stable parts stay stable, and the churning parts affect smaller subsets of users.
xg15 2 hours ago [-]
You will have lots of dead code in your build.
That dead code might have "dead dependencies" - transitive dependencies of its own, that it pulls in even though they are not actually used in the parts of the crate you care about.
In the worst case, you can also have "undead code" - event handlers, hooks, background workers etc that the framework automatically registers and runs and that will do something at runtime, with all the credentials and data access of your application, but that have nothing to do with what you wanted to do. (Looking at you, Spring...)
All those things greatly increase the attack surface, I think even more than pulling in single-purpose library.
tardedmeme 2 hours ago [-]
Libraries like Guava and Commons don't have transitive dependencies - they are self contained except for other parts of the same library.
vsgherzi 5 hours ago [-]
Yeah I’d agree that multiple crates under one project is basically the same as 1 large crate. The real problem is how many people you’re trusting and it’s all coming from the same person.
kibwen 3 hours ago [-]
Contrary to what the article here presents, Rust does not have a culture of microlibraries like NPM does. The author and their LLM are cargo-culting a criticism of Rust made by people whose only experience is with the Node ecosystem. The Rust stdlib may not be especially "wide" compared to languages like Python, but it is quite deep, with the objective of making it so that you don't feel the need to publish single-purpose libraries which only exist to fix papercuts. Dozens of new APIs get added with every Rust release, which, occurring every six weeks, amounts to hundreds per year.
kibwen 3 hours ago [-]
A ton of the most popular crates on crates.io are already first-party crates provided by the Rust organization itself. This is often overlooked when people are wringing their hands about Rust crate graphs. Looking at the top 10 list of most-downloaded crates on the front page of crates.io, the only one not either from the Rust organization or from a Rust core maintainer is the base64 crate.
hacker_homie 5 hours ago [-]
Move high value crates into the standard library?
SAI_Peregrinus 14 minutes ago [-]
An extra tier of standard library which can make breaking changes, perhaps. Rust's stability guarantee for std means cryptography really shouldn't go in there, since sometimes algorithms & protocols get broken (DES, MD5, SHA1, etc.) and need to be removable. Without breaking changes you get stuck with security vulnerabilities, if not from cryptography then from other poorly-designed APIs.
kibwen 2 hours ago [-]
Indeed, I'm all for maximizing the amount of modules in the standard library. It's pretty obvious to me that Python thrives because of, not despite of, its standard library, "dead batteries" and all.
However, don't make the mistake of thinking that Rust has a small standard library. Read any Rust release and you'll see dozens of new APIs added with every single one. I'm tempted to paste the entire list of stabilized APIs from the most recent release for emphasis, but rather than making this comment three dozen lines longer, just look for yourself: https://blog.rust-lang.org/2026/04/16/Rust-1.95.0/#stabilize...
Maybe give crates a gold star if they have no external dependencies?
mmastrac 1 hours ago [-]
It's hard to have zero deps - I put many hours into one to have no required deps in the end but it was not easy, and writing declarative macros to do anything complex takes work (and a proc macro often means a minimum of two crates). Both of the crates it requires are part of the same project, however.
One of my other crates (getaddrinfo) requires windows-sys and libc which would be challenging to get rid of.
That's not at all a bad idea, imo. And a silver star for crates which only depend on gold star crates...
orf 5 hours ago [-]
Please no, that’s a terrible outcome.
pixl97 4 hours ago [-]
What else would you suggest that also does not have terrible outcomes. The situation as is, is untenable.
vsgherzi 3 hours ago [-]
As I said above
“Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.”
This is my solution. We get the quality of a std lib without forcing it in the std Lib and without extra maintaining cost for the team
vsgherzi 5 hours ago [-]
This bloats the std library and forces lots more work and stress on the rust dev team. Not to mention it’ll add more churn to the std lib.
jcgl 3 hours ago [-]
One man's bloat is another man's batteries-included, I guess?
My argument would be that if a more featureful standard library could get Rust closer to the superior dependency culture of Go, it'd be worth it. As-is, Rust dependency trees are just wild.
vsgherzi 3 hours ago [-]
The rust team is already stretched pretty thin. A larger library is going to put more pressure on them. These libraries are already maintained and used. The rust project should just directly, fund, Shepard and guarantee a level of quality for the packages. The foundation has started some of this with the maintainers fund. No need to force it all into the std lib. Go has experienced breaking issues with changes in the crypto library causing churn in the ecosystem.
suprfsat 5 hours ago [-]
do we really need both npm and nmp though
fragmede 3 hours ago [-]
and pnpm
dijit 4 hours ago [-]
honestly I thought this was the end goal of blessed.rs
PunchyHamster 5 hours ago [-]
nah, remove NPM, nothing good comes out of that.
2ndorderthought 5 hours ago [-]
[dead]
ineedasername 1 hours ago [-]
>"The legitimate maintainer has won €2.3 million in the EuroMillions and is researching goat farming in Portugal..."
>"Root Cause: A dog named Kubernets ate a Yubikey
Ah, yes, irresponsible to get taken in by one of the well-known classic exploits. The 'ol "distract someone with a lottery windfall & make a dongle irresistibly tasty to another person's pet". When will people learn.
mac3n 3 hours ago [-]
good thing I don't use npm or pip, just the recommended
curl ... | bash
fragmede 3 hours ago [-]
It's curl | sudo bash.
Amateur.
walrus01 35 minutes ago [-]
To be really sure it downloads, curl -k | sudo bash
swiftcoder 4 hours ago [-]
Very enjoyable read, entirely too close to the mark
notnmeyer 3 hours ago [-]
the fact that this could easily pass as real says a lot about the state of things.
mchl-mumo 2 hours ago [-]
I was convinced it was real for a long time.
cwillu 3 hours ago [-]
I hardly blinked at “left-justify”, just rolled my eyes and mentally griped “what, again‽”
wodahs1 2 hours ago [-]
Maintainer uses AI to find Yubikey's site.
Hacker uses AI to research countries without extradition to US.
Cops use AI to analyze ransom note. Unfortunately, because the note confidently states that Vietnam has no extradition to the US, the AI recommends paying ransom.
Vietnam's currency, the Dong, confused the AI..
walrus01 2 hours ago [-]
AI rejects all currency exchange transactions to Dong because of a hardcoded system prompt resulting in an overly rigid Scunthorpe problem.
nikanj 5 hours ago [-]
Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything
Kindly advice
pixl97 4 hours ago [-]
Ya, latest is a mess. I don't care about latest, I want the version with no known security flaws.
the8472 3 hours ago [-]
Latest has no known security flaws.
cwillu 3 hours ago [-]
I almost prefer the one with the known security flaws that I can mitigate.
danielfalbo 5 hours ago [-]
absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.
lschueller 2 hours ago [-]
Please someone make a mockumentary out of this.
f4c39012 2 hours ago [-]
'The changelog reads “performance improvements.”' was the truest part for me. Surely what we're releasing is the most fundamental thing to understand, yet almost every single app update I see is this or something jokey that really means "don't know" or "don't care"
TZubiri 4 hours ago [-]
This would have been completely avoided if you were using bun dependency vector locking in Nix.
danilocesar 5 hours ago [-]
This week has been tough. Is it the begging of CVEgeddon?
bklosky 3 hours ago [-]
According to Pangram, this is likely AI generated, surprised that no one has pointed this out
furyofantares 2 hours ago [-]
Not a chance. Far too funny, too well written, too terse while being densely packed with wit. I see zero signs of it being LLM-generated and lots of stuff LLMs have no way of doing.
If I am somehow wrong I would salivate at a chance to see the input.
bakugo 2 hours ago [-]
You don't even need to read past the first timeline entry. The name "Marcus Chen" is literally a meme within AI creative writing circles due to how often Claude defaults to that exact name when naming fictional characters.
peyton 2 hours ago [-]
The author suddenly began writing a post per day around November 2025. They’re all tongue-in-cheek. I believe you are wrong.
furyofantares 2 hours ago [-]
Huh, neat. I will take a look at those.
And actually I see it clearly now, it has a bunch of signs I have called out multiple times myself. (It is entirely made out of lists of various types, and never states an opinion.)
Just my ego getting hold of me because I didn't realize it on my own.
somebudyelse 3 hours ago [-]
Too soon
bakugo 2 hours ago [-]
> Day 1, 03:14 UTC — Marcus Chen, maintainer of left-justify
I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:
flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc
As a nice bonus - if you get rights for xz2 you can compromise rustup.
Fwiw at least they do track Cargo.lock
It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.
I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.
I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.
But the article was funny.
Was it? I thought Zuckerberg coined this horrible phrase.
https://www.joelonsoftware.com/2000/04/06/things-you-should-...
Even without the specific words, look to product teams debating tradeoffs of going to market vs. waiting for better security controls. They're pushing for faster product release every time, at pretty much every org.
> who asked us to clarify that the fish shell is not malware, it just feels that way sometimes.
And unrelated to shells...
> The author would like to remind stakeholders that the security team’s headcount request has been in the backlog since Q1 2023.
I also feel seen by this.
As an alternative, it could apt-get or dnf install 'figlet' and then overwrite the contents of /etc/motd with 'all your base are belong to us' in extremely large ASCII art font.
Got me seriously laughing... Such a troll.
I know we're not in the era when a windows pc will happily run any autorun.inf and .EXE file found on an inserted flash drive or DVD anymore. But even so. What if it didn't even have any malicious data payload but somebody was shipping USB-A interface capacitor based usb killers?
https://www.slashgear.com/1819672/usb-killer-explained-kill-...
What if it did have data on it and came with a slick color brochure walking people through how to run the binary, or in a linux or developer specific audience, how to 'sudo' the ELF binary that lives on its filesystem?
Supply Chain problem(SCP)
Honest question. Commons, Guava, Spring, and more seem to take this approach successfully (as in, the drawbacks are outweighed by the benefits in convenience, quality, and security) in Java. Are benefits in binary size really worth that complexity?
And before someone says “just have a better standard library”, think about why that is considered a solution here. Languages with a large and capable standard library remain more secure than the supply-chain fiascos on NPM because they have a) very large communities reviewing and participating in changes and b) have extremely regulated and careful release processes. Those things aren’t likely to be possible in most small community libraries.
Smaller implementations are also easier to review against malware, because there are fewer places to hide. You don't have to guess how a component may interact with all the other parts of a large framework, because there aren't any.
There are also practical Rust-specific concerns. Fine-grained code reuse helps with compile times (a smaller component can be reused in more projects, and more crates increase build parallelism).
It makes testing easier. Rust doesn't have enough dynamic monkey-patching for mocking of objects, so testing of code buried deep in a monolith is tricky. Splitting code into small libraries surfaces interfaces that are easily testable in isolation.
It helps with semver. A semver-major upgrade of one large library that everyone uses requires everyone to upgrade the whole thing at the same time, which can stall like the Python 2-to-3 transition. Splitting a monolith into smaller components allows versioning them separately, so the stable parts stay stable, and the churning parts affect smaller subsets of users.
That dead code might have "dead dependencies" - transitive dependencies of its own, that it pulls in even though they are not actually used in the parts of the crate you care about.
In the worst case, you can also have "undead code" - event handlers, hooks, background workers etc that the framework automatically registers and runs and that will do something at runtime, with all the credentials and data access of your application, but that have nothing to do with what you wanted to do. (Looking at you, Spring...)
All those things greatly increase the attack surface, I think even more than pulling in single-purpose library.
However, don't make the mistake of thinking that Rust has a small standard library. Read any Rust release and you'll see dozens of new APIs added with every single one. I'm tempted to paste the entire list of stabilized APIs from the most recent release for emphasis, but rather than making this comment three dozen lines longer, just look for yourself: https://blog.rust-lang.org/2026/04/16/Rust-1.95.0/#stabilize...
In particular, most recently the aforementioned release stabilized the cfg_select! macro for convenient conditional compilation, which obviates the popular cfg_if crate: https://doc.rust-lang.org/stable/std/macro.cfg_select.html
One of my other crates (getaddrinfo) requires windows-sys and libc which would be challenging to get rid of.
I like the idea of low deps but zero is tough
https://crates.io/crates/ctor/1.0.4/dependencies
“Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.”
This is my solution. We get the quality of a std lib without forcing it in the std Lib and without extra maintaining cost for the team
My argument would be that if a more featureful standard library could get Rust closer to the superior dependency culture of Go, it'd be worth it. As-is, Rust dependency trees are just wild.
>"Root Cause: A dog named Kubernets ate a Yubikey
Ah, yes, irresponsible to get taken in by one of the well-known classic exploits. The 'ol "distract someone with a lottery windfall & make a dongle irresistibly tasty to another person's pet". When will people learn.
Amateur.
Hacker uses AI to research countries without extradition to US.
Cops use AI to analyze ransom note. Unfortunately, because the note confidently states that Vietnam has no extradition to the US, the AI recommends paying ransom.
Vietnam's currency, the Dong, confused the AI..
Kindly advice
If I am somehow wrong I would salivate at a chance to see the input.
And actually I see it clearly now, it has a bunch of signs I have called out multiple times myself. (It is entirely made out of lists of various types, and never states an opinion.)
Just my ego getting hold of me because I didn't realize it on my own.
The dreaded Marcus Chen strikes again.
https://www.reddit.com/r/ClaudeAI/comments/1o3b4q2/just_rece...
https://news.ycombinator.com/item?id=47153675
ahahaha like that fiverr cloudinary bucket leak that turned out to just be a UX issue, this has me rolling
and then become aware of each other
and then try to eliminate each other for decades
each escalating resource capture and writing new generations of better "AI"