Aaah finally, malware for Linux, truly the year of the Linux Desktop!
We made it! I never thought I’d live to see this day!
The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.
This is absolutely not just specific to Go.
- PyPi
- npm
- Maven Central
- Docker Hub
- Artifact Hub
- PPA
- AUR
The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.
Cargo also has a
--gitoption but I suppose it’s not default behaviorSure! My point is that hosting doesn’t really matter, though. Malware and vulnerabilities are introduced at all points of supply chains.
I agree, I was just giving another example to raise awareness about that feature of rust.
If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post
Taking garbage collection to a whole new level !
This is why we can’t have nice things
Any intel on affected, high-profile software?
I found the original blog post more educational.
Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.
The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.
Halloween documents pt 2
