Cabal & Hackage Security History
Timeline (Dec 2025 - Jan 2026)
Section titled “Timeline (Dec 2025 - Jan 2026)”This log tracks security incidents affecting the cabal-install tool and the Hackage package repository.
December 2025
Section titled “December 2025”| Period | Status | Details |
|---|---|---|
| Week 1 (Dec 1 – 7) | ● Safe | None. |
| Week 2 (Dec 8 – 14) | ● Safe | None. |
| Week 3 (Dec 15 – 21) | ● Safe | None. |
| Week 4 (Dec 22 – 28) | ● Safe | None. |
January 2026
Section titled “January 2026”| Period | Status | Details |
|---|---|---|
| Week 1 (Dec 29 – Jan 4) | ● Safe | None. |
| Week 2 (Jan 5 – Jan 11) | ● Safe | None. |
| Week 3 (Jan 12 – Jan 18) | ● Critical | Jan 16: Infrastructure Breach (HSEC-2024-0004) |
Incident Report: Jan 16, 2026
Section titled “Incident Report: Jan 16, 2026”Critical Infrastructure Breach (HSEC-2024-0004)
Section titled “Critical Infrastructure Breach (HSEC-2024-0004)”- Target:
hackage-serverandhackage.haskell.org - Vulnerability: Stored Cross-Site Scripting (XSS)
- Impact:
- Malicious HTML/JS files could be served via source packages or documentation uploads.
- This exposed users to potential session hijacking when viewing compromised package pages.
- Resolution:
- The Haskell Security Response Team (SRT) publicly disclosed the issue.
- Mitigation: User content was migrated to a sandboxed domain (
hackage-content.haskell.org) to prevent script execution on the main domain.