Skip to content

Verify ecosystem path before installing tooling during an active supply-chain incident

Finding

While installing yq as a dependency for SPEC-123 Task 1, the user flagged the Mini Shai-Hulud worm (active wave May 11–12 2026, 172 packages / 403 versions across npm + PyPI) and asked me to verify before installing.

The verification mattered because two distinct tools share the name yq:

Name (in distribution) Author / repo Ecosystem Shai-Hulud exposure
yq (Homebrew formula) mikefarah/yq Go binary, Homebrew bottle NOT in scope — npm/PyPI exploit doesn't reach Homebrew Go bottles
yq (PyPI package, aka python-yq) Andrey Kislyuk, wrapper around jq PyPI IN scope — PyPI is the affected registry

brew info yq resolves to mikefarah's Go binary (source: github.com/mikefarah/yq, MIT, Homebrew formula at homebrew-core/Formula/y/yq.rb). The formula explicitly conflicts with python-yq, so brew can't mistakenly install the PyPI variant.

Mini Shai-Hulud's blast radius (per Wiz, Snyk, Unit42, CISA, Hacker News): @tanstack/*, @uipath/*, @mistralai/*, @opensearch-project/*, guardrails-ai. All npm or PyPI. No Homebrew formulae or Go modules in the compromise list.

Pattern (the durable bit)

When installing tooling during an active supply-chain incident, verify the distribution path against the incident's blast radius — even for tools that "feel" outside the affected ecosystem. Name collisions across registries (npm/PyPI/Homebrew/Go modules) mean a "safe" tool name can map to an unsafe distribution. The check has three parts:

  1. What ecosystem does this install resolve to? brew info <pkg> / pip show <pkg> / npm view <pkg> — confirm the actual source repo and registry.
  2. What is the incident's blast radius? Read at least two independent sources naming the affected registries and scopes.
  3. Is there a name collision? Most package names exist on multiple registries; the wrong one might be in the blast radius even when "the tool" isn't.

Cost of verification: ~2 minutes. Cost of installing the wrong-ecosystem variant during an active worm wave: potentially severe (credential exfiltration, lateral propagation).

How to apply

Trigger this verification whenever:

  • A supply-chain incident is actively unfolding (named worm, CISA advisory, registry-wide compromise).
  • About to run brew install, pip install, npm install -g, gem install, go install, cargo install, or equivalent.
  • Even if the tool is "obviously" outside the incident ecosystem — confirm the distribution path resolves where you think it does.

Skip when: no active incident; routine package.json / requirements.txt updates already pinned in version control; reading-only operations.

Source

  • This conversation: user-flagged concern at the brew-install decision point in SPEC-123 Task 1 (2026-05-12).
  • Web search verification: see Sources list in the conversation (Security Boulevard, Wiz, Snyk, Unit42, Hacker News, CISA).
  • brew info yq output confirming Go-binary path, MIT license, 173k installs in 90 days.