Rogue One: A Malware Story
mhouge.dk
While adding support for jqfmt to my markdown code block formatter (mdsf, mdsf#700), I came across something weird.
  • just_another_person@lemmy.world
    623·
    19 days ago

    This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.

    GitHub is not compromised, nor sending unintended payloads.

    • ikidd@lemmy.worldOPEnglish
      43·
      19 days ago

      Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

      • just_another_person@lemmy.world
        36·
        19 days ago

        But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

        These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.

  • crystalwalrus@programming.dev
    23·
    19 days ago

    Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.

    • Goun@lemmy.ml
      4·
      18 days ago

      Yes, I agree, but then, what would be an alternative?

      Store it into a file, chmod it and run it? git clone the repo and run a script from it? I don’t think any of those would be different, apart from having more steps most people won’t even check anything.

      I don’t know if we can fix this while allowing people to run stuff they don’t understand on their machines. Maybe community curated scripts or something, know the people who does the stuff and only run stuff made by people you already know.

      I think we’re running too fast, we need to chill down, idk.

      • atzanteol@sh.itjust.worksEnglish
        3·
        18 days ago

        Yes, I agree, but then, what would be an alternative?

        Any package manager that allows for ways to verify the source. These shitty script|bash lines are doing all sorts of nutty shit on your system, and that’s ones that aren’t even malicious.

      • oo1@lemmings.worldEnglish
        10·
        19 days ago

        oh oh, I’m a below average arch user. I suspect i copied most of my hoome from debian or something.

        I’ll rename it to Dickuments as a security feature.

    • ikidd@lemmy.worldOPEnglish
      51·
      19 days ago

      Me neither, I nuke the default freedesktop folders on an install because they clutter up my home folder. But I’d imagine we’re the exception.

  • Phoenixz@lemmy.ca
    6·
    19 days ago

    Yay, finally Linux is being attacked!

    And as expected it takes whole lot more than clicking on an email attachment

    Always check before you curl download something!

    • CarrotsHaveEars@lemmy.ml
      2·
      18 days ago

      No. Feel free to download shit and even attempt to run shit. Chances are they won’t run because shits are compiled against glibc and my system is not.

  • Goun@lemmy.ml
    6·
    18 days ago

    Why the Documents folder tho? Who expects important stuff to be there?

    Now all my Linux ISOs are gone, smh

    • Nino477@lemmy.world
      9·
      19 days ago

      Tru. With Windows defender 💪 i can downloat evry .exe from ze internetz. I currently installing Gta 6 early 😎

    • sylver_dragon@lemmy.worldEnglish
      4·
      19 days ago

      I tried that, I ended up with this weird “Windows 11” adware installed and couldn’t get rid of it. There was also a problem with odd programs and advertising showing up in my Start Menu, even after I removed them. Also, my settings would occasionally just change, without my knowledge or permission.