Cyber Incident Victim: Haskell

On February 12, 2023, Haskell’s hosting provider detected suspicious anomalies in outgoing traffic from the deb.haskell.org server, which hosts Debian Builds for the Haskell programming language. This server was part of the Rackspace ORD data center in Chicago, one of six Rackspace facilities supporting Haskell’s infrastructure. The hosting provider suspended deb.haskell.org shortly after detecting the traffic irregularities, taking it offline to contain potential malicious activity. Haskell’s security team confirmed the security breach on February 14, clarifying that no other components—including its main website, downloads server, mail services, or MySQL databases—were compromised. External services relying on Haskell also remained unaffected. The team initiated efforts to restore functionality but maintained the server offline pending further investigation.

On February 15, Haskell disclosed additional details, confirming the compromise of deb.haskell.org and reiterating the February 12 detection timeline. The security team asserted that the swift suspension of the server minimized the window for attackers to tamper with packages, though they did not confirm whether the package signing key was accessed. Concerns arose in community discussions, notably from a Hacker News user ("kfreds"), who warned that a compromised signing key could enable trojaned package distribution across Linux systems, necessitating man-in-the-middle attack scenarios for exploitation. As of the article’s publication date, deb.haskell.org remained offline, with Haskell’s security team continuing restoration and assessment work. The breach exclusively impacted the Chicago-based Rackspace ORD infrastructure, leaving Haskell’s broader open-source ecosystem—supported by sponsors like DataDog and DreamHost—operationally intact outside the Debian Builds component.