Apparently there’s a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there’s a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.
About a dozen other projects linked in here from another developer (excuse the Reddit link): https://old.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/
This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.
GitHub is not compromised, nor sending unintended payloads.
Many of the projects are backend dev tools, like the Atlas provider linked in the thread.
But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.
These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.
OK, fair enough, I changed the title.
👍
Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.
good time to not have a ~/Documents and keep backups encrypted off site
Why the Documents folder tho? Who expects important stuff to be there?
Now all my Linux ISOs are gone, smh
That simply wouldn’t work in non-english machines lmao
Maybe they’re using xdg-dirs? That might work, won’t it?
Yay, finally Linux is being attacked!
And as expected it takes whole lot more than clicking on an email attachment
Always check before you curl download something!
No. Feel free to download shit and even attempt to run shit. Chances are they won’t run because shits are compiled against glibc and my system is not.
