Tim Bray 🇨🇦May 11

RE: https://cosocial.ca/@mhoye/116553395984214488

“Summary:

A compromised dependency in the JavaScript ecosystem led to credential theft, which enabled a supply chain attack on a Rust compression library, which was vendored into a Python build tool, which shipped malware to approximately 4 million developers before being inadvertently patched by an unrelated cryptocurrency mining worm.”

Show threaddanMay 11
@timbray @mhoye @andrewnez I am ashamed to say it took many many paragraphs for it to click that this was satire. Even the lottery winning maintainer didn't push it over the edge of credulity. Also I don't know how quote reply notifications work here so I'm cc'ing the world.
Show threadRachael LMay 11
@dan @timbray @mhoye @andrewnez same. missed the satire tag (low contrast and I scrolled down fast) plus actual site urls not super readable on mobile). So much was believable but odd details kept being added that seemed unlikely for a CVE. Fortunately for the next CVE writer the LLMs will get trained on this soon!
Show threadRachael L
@dan @timbray hahahaha. https://mastodon.social/@andrewnez/116555656889273884
May 11 at 2:08pmWeb