Verify ecosystem path before installing tooling during an active supply-chain incident¶
Finding¶
While installing yq as a dependency for SPEC-123 Task 1, the user flagged the Mini Shai-Hulud worm (active wave May 11–12 2026, 172 packages / 403 versions across npm + PyPI) and asked me to verify before installing.
The verification mattered because two distinct tools share the name yq:
| Name (in distribution) | Author / repo | Ecosystem | Shai-Hulud exposure |
|---|---|---|---|
yq (Homebrew formula) |
mikefarah/yq | Go binary, Homebrew bottle | NOT in scope — npm/PyPI exploit doesn't reach Homebrew Go bottles |
yq (PyPI package, aka python-yq) |
Andrey Kislyuk, wrapper around jq |
PyPI | IN scope — PyPI is the affected registry |
brew info yq resolves to mikefarah's Go binary (source: github.com/mikefarah/yq, MIT, Homebrew formula at homebrew-core/Formula/y/yq.rb). The formula explicitly conflicts with python-yq, so brew can't mistakenly install the PyPI variant.
Mini Shai-Hulud's blast radius (per Wiz, Snyk, Unit42, CISA, Hacker News): @tanstack/*, @uipath/*, @mistralai/*, @opensearch-project/*, guardrails-ai. All npm or PyPI. No Homebrew formulae or Go modules in the compromise list.
Pattern (the durable bit)¶
When installing tooling during an active supply-chain incident, verify the distribution path against the incident's blast radius — even for tools that "feel" outside the affected ecosystem. Name collisions across registries (npm/PyPI/Homebrew/Go modules) mean a "safe" tool name can map to an unsafe distribution. The check has three parts:
- What ecosystem does this install resolve to?
brew info <pkg>/pip show <pkg>/npm view <pkg>— confirm the actual source repo and registry. - What is the incident's blast radius? Read at least two independent sources naming the affected registries and scopes.
- Is there a name collision? Most package names exist on multiple registries; the wrong one might be in the blast radius even when "the tool" isn't.
Cost of verification: ~2 minutes. Cost of installing the wrong-ecosystem variant during an active worm wave: potentially severe (credential exfiltration, lateral propagation).
How to apply¶
Trigger this verification whenever:
- A supply-chain incident is actively unfolding (named worm, CISA advisory, registry-wide compromise).
- About to run
brew install,pip install,npm install -g,gem install,go install,cargo install, or equivalent. - Even if the tool is "obviously" outside the incident ecosystem — confirm the distribution path resolves where you think it does.
Skip when: no active incident; routine package.json / requirements.txt updates already pinned in version control; reading-only operations.
Source¶
- This conversation: user-flagged concern at the brew-install decision point in SPEC-123 Task 1 (2026-05-12).
- Web search verification: see Sources list in the conversation (Security Boulevard, Wiz, Snyk, Unit42, Hacker News, CISA).
brew info yqoutput confirming Go-binary path, MIT license, 173k installs in 90 days.