Rendered at 10:48:24 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
guhcampos 18 hours ago [-]
> Why do they only clone new repositories, rather than popular ones?
> Why do they delete a commit and push a new one every few hours?
Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.
Then to the more interesting question: why now?
1. Agents, agents everywhere.
2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.
saidnooneever 4 hours ago [-]
2 is full on speculation. It can be any kind of purpose.
Cthulhu_ 3 hours ago [-]
Yes, a lot of compromised accounts are just put onto a marketplace of sorts, either selling the account itself directly or offered as services to promote a product / political talking point / propaganda / engagement.
eru 3 hours ago [-]
Or it could just be that someone vibe coded the worm, and vibe coding is relatively young.
">
0xEF 2 hours ago [-]
I like how quickly this got dismissed as speculation as though we don't live in an age where election tampering and manipulation of public opinion for political reasons are so commonplace that incidents of it just blend in with the other forgettable global headlines.
vintermann 5 hours ago [-]
Political manipulation is a problem, but I don't think it's nearly as profitable as pushing scams and gambling.
saidnooneever 4 hours ago [-]
just get residential botnets to watch ur youtube channel click all the adds u dont need many bots..There are many ways to monetize things.
Governments just run sim farms etc. they dont need to use this kind of approach for political influece. Not to say that some dont but generally they will not be stealing accounts. (most bots involved in campaigns to get trump in his seat were not stolen accounts)
nine_k 5 hours ago [-]
I suspect that politicians right before elections may pay more than standard gambling. They gamble with much higher stakes.
netsharc 3 hours ago [-]
Hah, outsourcing political "influencing" to tiny "consulting" companies that promise great things but is a rickety AI slop shop in the backend.
I suppose the only difference to the Big 4 is the price tag.
I guess politicians could claim to be hiring a voter research company and profess to be oblivious to the "voter hacking" schemes (hacking the voters' minds to lean whichever way the politician wants them to lean).
Cthulhu_ 3 hours ago [-]
You'd be surprised as how there's individuals and organizations willing to pay a lot of money to do political manipulation / influencing.
lynx97 3 hours ago [-]
> ... and organizations willing to pay a lot of money to do political manipulation / influencing.
Like what, parties campaigning?
mschuster91 2 hours ago [-]
We're talking about foreign influence here. All recent US and German elections reeked of Russian dark money, then there was the entire Cambridge Analytica mess and before that it was Brexit.
brettermeier 55 minutes ago [-]
And Elon Musks dark money. Don't forget that. He gives his best to influence european politics.
mschuster91 39 minutes ago [-]
Don't think he gives money, but yes, he definitely does everything he can to help out the far-right with his global audience.
edm0nd 2 hours ago [-]
more like it would be from the nation state level. for example, RU pushing these lil psyop bots to get Trump elected and/or grow the divide in between Ds and Rs.
SCdF 4 hours ago [-]
It's more profitable because it allows you to select political perspectives that allow you, the scammer and or gambler, to scam or gamble harder.
tommica 5 hours ago [-]
On that level, power and control trumps profit
makethembroke 5 hours ago [-]
a kind of
alecthomas 2 hours ago [-]
That doesn't seem likely, given that there's a reference from February 2025 documenting the pattern.
Jimmc414 17 hours ago [-]
This is happening to me as well. I have a few moderately popular open source projects and I have found my name attached to new projects that I have nothing to do with or they are derivatives of my projects with redirection to unknown sites.
> Projects using my name which I have no affiliation with or they are projects I have written that they have injected new URLs into:
How do you find these? I don't want to search for my name on those dodgy sites, as that tells them my projects exist.
schrodinger 12 hours ago [-]
Idk if this is intentional or just part of an innocent site that’s unwittingly hosting these but I just got a “we’re verifying your browser” page, as if _I’m_ the suspicious one. Nice social engineering.
SoftTalker 8 hours ago [-]
Happens more and more if you're running uBlock.
RoadieRoller 19 hours ago [-]
> Why do they delete a commit and push a new one every few hours?
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
philistine 19 hours ago [-]
Bingo!
mattgreenrocks 9 hours ago [-]
They're also gaming the heuristic that if an OSS repo hasn't had any pushes in ~6mos many users consider it defunct.
Being reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
Strong support for the strategy of not putting your TOTP/MFA in your password manager, which has been argued on HN in the past.
8cvor6j844qw_d6 17 hours ago [-]
> Strong support for the strategy of not putting your TOTP/MFA in your password manager
Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys.
14u2c 15 hours ago [-]
>Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
That seems somewhat unrealistic? There are many passwords you need to use as part of dev work.
tedd4u 10 hours ago [-]
One could perhaps put those in a different vault. Sounds like a pain to me. But nothing compared to an email and/or banking compromise.
bartread 9 hours ago [-]
It becomes tricky when all your passwords are randomly generated, 24 characters long, full of symbols, special characters, casing variations, etc. All of mine are an absolute nightmare to type manually.
I suppose that becomes a pretty strong argument for passphrases + MFA, because passphrases are much easier to type in manually. But the problem there is lots of services still have stupid/arbitrary maximum password length restrictions that make it difficult or impossible to use a sufficiently complex passphrase.
It’s very frustrating.
bigiain 8 hours ago [-]
You can generate "pronounceable" passwords in some tools.
1PW just generated this for me: mimp-rort-jan-mon-kain-sqin
Not as much entropy as 24 random letters/digit/punctuations/capitalisation. But (for me at least) much easier to read end type in situations where copy/paste isn't available (like from my phone to my dev docker containers)
dbmnt 8 hours ago [-]
Yes but parent was saying use passphrases, which is the same, just more like "correct horse battery staple". Parent then correctly pointed out there are a large number of sites that enforce special characters, numerical digits, etc., also being part of the password. So that idea falls apart very quickly in practice.
ponector 4 hours ago [-]
>> mimp-rort-jan-mon-kain-sqin
And then you see they are not accepting such a weak password. Add special characters, numbers, etc.
schrodinger 11 hours ago [-]
That’s a good point.
Maybe a good compromise is to use 1pw for most TOTP but keep your gmail / iCloud and a few others in an iPhone only app?
Gmail is what scares me the most. It’s basically keys to the kingdom.
everybodyknows 8 hours ago [-]
> Gmail
We might all do well to remind F&F to print out account recovery codes, and then put some thought into where they'll be safe.
frantathefranta 8 hours ago [-]
I settled on that after trying to be extra careful with TOTP. Now my split is 95% of passwords, TOTP codes and passkeys in 1Password, 5% (really important stuff like email) in an offline KeePass DB + passkeys on Yubikeys.
bigiain 8 hours ago [-]
> Important TOTPs can go to Yubikeys.
Once you have a Yubikey (preferably two, so you have a backup if you damage/lose one) - you may as well make _that_ your primary MFA method, and only use TOTP for services you can't enrol your Yubikeys on.
deepsun 16 hours ago [-]
But it's a hassle to have at least 2 yubikeys in case you lose one. And since you regularly sign up for new websites with OTPs, gotta keep them in sync. So always carry both with you. And if you carry both, then it's easy to lose both at the same time.
UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one.
cuu508 14 hours ago [-]
I add a note in the password manager's notes field for sites where I've added Yubikeys as the second factor. I can get the list of the sites using search, and from time to time I go through them to check if a backup key needs to be registered. I create new accounts infrequently.
zygentoma 15 hours ago [-]
Would be nice if you could get an exact clone of a yubikey, so you always have a spare in case you lose one.
Though I think there is also the option that sites can store some sort of identifier on the key, then this would not work:/
captn3m0 14 hours ago [-]
> I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.
embedding-shape 14 hours ago [-]
> tried this with hardware only password managers but they were too annoying
And besides that, ultimately if the computer you're using been compromised, whatever you do on that computer can be mucked about with, so while the password sits safely on the hardware, once you're logged in in the browser, the cookie is just sitting there. I guess you'd get furthest isolation with Qubes et al, but with a regular Linux installation you'd still be exposed with a hardware password manager, if the installation been compromised.
embedding-shape 14 hours ago [-]
> Agreed, but I think using the same device to access your password manager and for dev
Almost all development I do, and most others, are on our projects or projects we're at least interested in, and most likely dove into, that's why we're developing in them in the first place.
In this case, it seems like the developer wasn't actually developing anything, but playing around with image generation on his time off, for fun, and ended up pulling down a random 3rd party thing and got compromised that way. Very different from "for dev" I'd say.
Besides, didn't most developer start isolating projects from each other when the first npm worms started to appear? I know I stopped running `npm install` in the same environment I do my banking, and drastically reduced the amount of random 3rd party stuff I have, still use all the same device though. Even have a Windows install on the same computer, booo!
criddell 15 hours ago [-]
On Linux, would something like Snap or Flatpak have protected them? It seems nuts that a random executable should have access to the password service.
embedding-shape 14 hours ago [-]
Ultimately it depends on the exact mechanism here, maybe the tool/README said "Run sudo ./setup-deps" and they followed it, or something similar, not sure any sort of software isolation would have helped at that point.
Gigachad 12 hours ago [-]
Yes if the flatpak sandboxing is enabled. A flatpak can just request access to anything, the software store thing shows a bunch of scary warnings when they do this but many users probably ignore them.
cdmckay 16 hours ago [-]
You can make it so you need a YubiKey to login to 1Password the first time on a new device
So just waiting for the password won’t be enough
auxinl 15 hours ago [-]
The hackers will literally have access to _your_ device though. If your device is already trusted, I doubt that setting will do you any good.
schrodinger 11 hours ago [-]
Wonder if you could run your password manager in an isolated sandbox that couldn’t provide the secret behind the TOTP, only the current value.
frereubu 15 hours ago [-]
I think this is true in technical terms, but I have not seen a compelling description of what that looks like without it sounding like a real pain to manage.
Does anyone have a description of something manageable?
Sleaker 15 hours ago [-]
Keepass, use different db stores for passwords than for the MFA/TOTP. never store the keepass db passwords anywhere except your head. Use a different device for the totp db than the passwords.
Terr_ 18 hours ago [-]
> putting your TOTP/MFA in your password manager
I suppose the inverse would be starting with a device that offers TOTP/MFA, and then making your password-manager/vault somehow available on that same device. In either case, bringing them together makes it easier for an attacker to compromise both at the same time.
On reflection, I've never actually put my (personal) password vault on my phone, but that may be less of a conscious security stance than fulfilling a millennial stereotype, where certain tasks (like big purchases) are reserved for "a real computer."
Closest I've gotten is having my USB backup keychain in the same pocket, so I could get to it in an emergency, but it's inconveniently air-gapped.
rectang 18 hours ago [-]
As much as I like the Apple Passwords app, one of its downsides is that if I have my TOTP app on my iPhone, both passwords and TOTP live on the same device. So for many services I use Bitwarden for passwords.
mcfly_c-137 15 hours ago [-]
For TOTP i use ente auth[0], which i can higly recommend.
i also force most apps on iOS to ask for face id (long press on app icon to set this).
Separate and additional auth service based on physical ownership is always nice!
rolph 17 hours ago [-]
i would also offer, do not use the same device for everything, make sure any local connectivity has firewalled [dot]finances, and [dot]tech lab from each other and else. you should probably split your network to further isolate.
use intentional spelling mistakes in your password vault, edit the password by hand. you also need to have some way of authenticating login components to be sure your running your version of login, and not a trojan login.
toomuchtodo 18 hours ago [-]
Or using a hardware authenticator.
uncivilized 16 hours ago [-]
Story states he wasn't using 2FA for his 1password account at all.
mixdup 16 hours ago [-]
why was he even bothering then
giancarlostoro 17 hours ago [-]
If I go through the effort to view the code for something, I then compile it myself.
hnlmorg 17 hours ago [-]
What makes you think he downloaded a pre-compiled binary? The link article doesn’t explicitly say that’s what happened. It just says he downloaded software from GitHub. Which might well have been the source code that he then compiled.
giancarlostoro 16 hours ago [-]
Looks like it was some comfyui plugin, so probably didn't even need to be compiled.
WalterBright 6 hours ago [-]
A password manager is a single point of failure and should be avoided. I've heard other sad stories about someone who's pw manager was compromised and they lost everything.
hnlmorg 1 hours ago [-]
While you’re not wrong in principle. It’s still the least worst in the vast majority of cases.
I think the bigger problem is using your pw manager for 2FA too.
pksebben 6 hours ago [-]
out of curiosity - what scheme do you suggest? I've always been of the mind that 'one thing to remember and secure, but secure it well' was the best option - 2factor and a 15+character passphrase meaning that nearly everything else gets it's own discretized blast radius.
Always open to better security, though.
WalterBright 4 hours ago [-]
Have a different password for every account, and don't store them on your computer.
rurban 5 hours ago [-]
True for KeyPass or 1Password, but not for GNU pass.
bananamogul 18 hours ago [-]
I reported a repo containing obvious nulled software to GitHub in February 2024.
The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.
The repo is still there 2+ years later and GitHub has taken no action.
If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.
xantronix 18 hours ago [-]
GitHub is so close to becoming SourceForge. In order to become the scum-infested cesspool it truly longs to be, Microsoft needs to relentlessly serve ads on GitHub. Then, the cycle will once again be complete.
I can't wait to discover the next thing to be disappointed by in a decade's time.
lukan 11 hours ago [-]
For it to be complete, they need to start changing binaries and bundling software with a microsoft launcher.
ForOldHack 13 hours ago [-]
Nice quote of Darth Vader there ;) "The cycle will once again be complete."
Also reminds me to update my fake CV.
davidcrowe 13 hours ago [-]
Same thing happened to one of my repos in Feb. I wrote up the details with screenshots.
This is just one flavour of abuse. GitHub does NOT give a shit about the scale of the malware problem.
I've seen so many forms of malware repos working on a GitHub trends newsletter [1], mostly about crypto, NFTs, KMS, and similar stuff.
In the first runs of the project, I was so surprised by tens of malware repos that looked like trending repos. A lot of them share some common traits that made filtering feasible:
- Made by a fresh GitHub user - many created in the past few days.
- The average creation date of Stargazers accounts is very close to the repo creation date. If you take the mean time diff, those bad repos get exposed.
I reported 10s of malware repos, but then I gave up as I felt GitHub was not really doing enough to fight back. I was like... these guys don't seem to care, why should I?
God knows how many people have been abused by these malware repos on GitHub.
This is the problem with software/services being taken over by big entities: they no longer have to care under the umbrella of "too big to fail".
frereubu 15 hours ago [-]
I have no idea of the kind of investment this would take in terms of time and money, but is it beyond the realms of possibility to run code submitted to GitHub through a basic filter? Genuine question - I have no experience of systems at that scale. But the fact that Microsoft is able to replace URLs in emails with ones that redirect through their systems so they can block malware URLs makes me feel like it should be possible.
mustaphah 14 hours ago [-]
You can probably catch a big pie of those with simple heuristics to flag suspicious repos for expensive review
(human- or AI-based). I did that with public account & repo data, and I believe they can do much more given the amount of private data they have access to.
I'm talking about 10s of repos flagged in a few hours. I don't think the volume would be that big for an expensive review.
gleenn 14 hours ago [-]
It exists, although people complain it is too noisy. You can hook in any if your own tools too.
If most malware repos are created in the last few days by a fresh user, then it sounds like GitHub is taking action against them? Or where are the old ones?
mustaphah 16 hours ago [-]
Well, my trend detection logic rewards recent stars more than older ones [1]. Recency is an important factor for many custom and public tools that track GitHub trends. I think the bad guys intentionally recreate repos - I actually noticed that.
That being said, they do take action if you report the repo. So I'm guessing good users are doing the heavy lifting here with reporting. I don't believe GitHub is taking enough proactive measures, or maybe they do, but it's not working well, obviously.
Yea, I'd change it to, they care about the malware and will remove the repos, but above everything else they don't want to slow down the signup flow
socalgal2 17 hours ago [-]
Most of HN doesn't give a shit about the malware problem. They will happily click "Give XYZ App ... permission to act on your behalf" to all of their repos with zero knowledge of what permissions are being requested. Github's Auth system doesn't tell the user what permissions are being requested
Note: Github has 2 auth systems. OAuth, and Github Auth. OAuth lists permissions but most apps use Github Auth which does not. So that app that gives you a badge or lets you comment could asking for write permission all your repos. You have no idea.
sieabahlpark 16 hours ago [-]
[dead]
StableAlkyne 21 hours ago [-]
> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
sureglymop 19 hours ago [-]
I've seen it many times on google where the phishing sites were advertised results stickied above the results they impersonate.
Another good reason to use ublock origin!
weird-eye-issue 21 hours ago [-]
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
tuetuopay 16 hours ago [-]
That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!
I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.
weird-eye-issue 10 hours ago [-]
Oh I've never seen anything like that. But it would still help because my password manager pops up matching logins so you could just open that manually and then copy paste parts of it or type it in.
shermantanktop 14 hours ago [-]
Had a similar UK bank experience. Without knowing it would be used for that, I had created a password that had digits. So "What's the 4th character" would be something like "6," "What's the 6th digit" would be "2," like an Abbott and Costello routine.
pibaker 8 hours ago [-]
Unfortunately it's not uncommon to find legitimate websites that break autofill in some ways. And the more such websites a user encounters, the more likely he will just mindlessly paste his password into a phishing site as he has learned to do for real ones.
Passkeys solve this problem but has its own usability issues.
weird-eye-issue 8 hours ago [-]
My password manager will warn me if I manually copy a password out of it and then try to paste it in a domain that does not match
StableAlkyne 20 hours ago [-]
I use keepass (FOSS under GPL, fully offline).
It does not detect domains.
jabroni_salad 19 hours ago [-]
The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.
weird-eye-issue 8 hours ago [-]
Maybe use a better one or the browser extension like other commenters are saying?
graemep 20 hours ago [-]
KeepassXC browser integration will do that.
throawayonthe 18 hours ago [-]
you can have it be offline and still a browser extension (when i used keepassxc it could to that)
vel0city 21 hours ago [-]
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."
Meanwhile U2F/Passkeys can't possibly be abused like this.
tjoff 21 hours ago [-]
Yeah but the downsides of passkeys make them so much worse anyway.
jcattle 20 hours ago [-]
Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!
AlotOfReading 20 hours ago [-]
I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.
I've never lost a password because my backpack was overly abused.
brendoelfrendo 20 hours ago [-]
That's why you keep it on your keychain and not in a spare slot on your laptop.
AlotOfReading 18 hours ago [-]
It's not possible to put a 5c nano on a keychain. They're intended to be kept in the slot at all times.
18 hours ago [-]
someguyiguess 20 hours ago [-]
And when your keychain gets lost then what?
jcattle 20 hours ago [-]
Then I have a backup yubikey at home for services which allow to register two keys. For other's there's still good old password+some second factor.
vel0city 18 hours ago [-]
Then I use the authenticator built into my phone. Or the authenticator built into my desktop. Or the authenticator built into my laptop. Or my other authenticator.
My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.
I open the safe where I keep my spare Yubikey. Or I use the passkey stored in my phone, or the one on my laptop. Make passkeys, put them everywhere.
weird-eye-issue 10 hours ago [-]
Well mine pops up a big warning if you try pasting when the domain doesn't match it so at least it would force you to take a second look. Also all the real world services that I use half past keys as 2fa which I also store in the password manager
bonoboTP 21 hours ago [-]
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.
spicyusername 20 hours ago [-]
at least not Google
Is one giant mega-corp better than any other?
You're going to have a hard time convincing me the answer is yes.
swatcoder 17 hours ago [-]
> I never see Google return phishing pages
Maybe you're not looking or maybe you're lucky.
Either way, many of us see it happen all the time there too. For GitHub especially, I almost never get the canonical repo for a project in my Google results. Phishing or innocuous, it's almost always some fork at the top and then a bunch of non-github.com sites.
Search is more or less "cooked" now, as they say. Google vs Bing vs DDG vs Kagi is mostly in the noise.
abc123abc123 20 hours ago [-]
Why would you go to your bank by first searching for it? Sounds very insecure to me. I type my banks url directly instead, or if that gets tedious, store it as a bookmark.
I know several people who search for important sites, click uncritically on links, and get scammed. This is not so good.
chrisweekly 20 hours ago [-]
speaking only to search quality: try Kagi.
mrguyorama 15 hours ago [-]
>I never see Google return phishing pages or typo squatters in the first page
Our company constantly has phishing copies of our real pages as first results in Google. We have no ability to get them taken down. It costs us serious money every year, and hurts our customers who get swindled because Google lets some brand new domain registered yesterday come before the company that has existed for 20 years.
If you haven't seen it on google, you aren't looking hard enough.
RetroTechie 2 hours ago [-]
Any Google employees here that could share some insights on how this kind of thing works from SE p.o.v.? Or why it works that way?
astronodev 21 hours ago [-]
[dead]
lookeey 21 hours ago [-]
It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.
RetroTechie 1 hours ago [-]
It's a matter of how much effort you want to put in, and what you get out of it.
Years ago, a friend of mine fell victim to a romance scam. Damage ~€3k. It involved fake websites of non-existing logistics companies, a fake banking site where victim could 'help' a person 'transfer funds' for them, a long chat history (over Viber or something like that, initiated through Facebook), etc.
This being a good friend, I put in some legwork, saved local copies of sites, etc. Some findings:
# It's easy to find copies of sites of the one(s) used to defraud victim. In this case, ~50. And compile a list, what's the hoster of each & where domains are registered.
# Fake banking sites are easy to determine since legitimate banks are recorded in per-country registries. Legitimate: website's security certificate (extended validation etc) indicates [bank_X], bank_X listed as such in registry of country it operates in. Not? -> fake.
For non-banking fake sites it's more difficult to tell.
# Hosting companies & domain registrars do take action. As long as you provide correct & detailed info, in such a way that it's easy for them to act on. Professional companies don't like having legal / financial liabilities sit around.
# If there's security certificates involved, informing issuer of that can remove "secure connection" from a whole batch of sites in 1 go. Makes it harder to convince future victims. (no lock icon on a banking site?!?)
# An official request could be filed with this victim's bank (passed on to recipient's bank), that would give holder of recipient account 2 options: a) return the funds, or b) have their personal details revealed to victim - for use in legal proceedings etc.
This was within EU area. Likely, recipient would be a money mule & not respond. But then you'd get money mule's full name/contact info etc (home address?)
# Police / fraud orgs etc rarely have time for this. You need to do the legwork yourself.
Ultimately, my friend decided not to pursue the matter. But in the mean time, I had caused >2/3 of those fake sites to be deleted (and all the fake banking sites I'd found), and some security certificates to be revoked. Obviously that disrupts scammer's operations to some degree (and costs them time, $$, potential victims dropped etc). So it's not like you can't do anything.
dentemple 19 hours ago [-]
This is what a community is for!
No individual person can be the superhero that saves the day on everyone's behalf. But what we can do is provide what little help or insight that we have, and then pass the issue along to others.
Perhaps all it means is that you end up doing what OP did: the "deeper" research that you mentioned plus a little post on Hacker News or elsewhere.
Even if nothing comes of it in the end, at least you'll have tried.
mowfask 4 hours ago [-]
Adding a link to a malware zip? That seems pretty naive.
Where are all the training-data poisoning repositories? Those set up so the next generation LLMs will be trained to include malware in the code they generate. Isn't that the new kind of supply-chain attack that's probably happening right now?
ma2kx 4 hours ago [-]
Is this also a some kind of a Trojan/malware attack?
> A Rust reimplementation of pylint that produces byte-for-byte identical output — 15–2300× faster (median ~85×).
> prylint is not "inspired by" pylint. [...] Where pylint has bugs, prylint reproduces them. Where pylint crashes, prylint reports the same crash message.
emodendroket 21 hours ago [-]
I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.
embedding-shape 21 hours ago [-]
> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
emodendroket 21 hours ago [-]
No, I've not been "living on" such a principle but it was a big claim for "the bazaar."
embedding-shape 21 hours ago [-]
Aha, wasn't that argument more about that closed source software is more likely to hide stuff you don't agree with, than FOSS? Not necessarily that FOSS won't have any viruses or malware, but it's at least less likely. That was my take away, but long time ago I read the book admittedly, I might misremember or transformed it automagically over time.
CapsAdmin 21 hours ago [-]
This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
jankdc 20 hours ago [-]
> source code open makes it auditable, if not by you, maybe the community
I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.
embedding-shape 17 hours ago [-]
I don't know, I feel like the "numbers" like upvotes, stars, favorites or whatever stops working for me the second I see it being obviously gamed, and when there is a ton of services for buying "higher $number". GitHub stars probably stopped mattering around 2016-17 sometime, I think that's the first time I came across one of those "increase $number" services.
By now (imo), the entire web is gamed and no number can be trusted, I operate completely on a qualitative basis rather than quantitative, basically the only way I can get something out of the web. Ignore all and any numbers as any indication of anything.
emodendroket 6 hours ago [-]
I know. But the problem is that in reality the only way to get people to audit software reliably is to pay them to do it, so it's not really true as a general principle that open-source software is more thoroughly vetted.
CapsAdmin 4 hours ago [-]
I'd say it's objectively true to say that open source software is easier to audit compared to closed source software, which you can extrapolate to mean that it's less prone to malicious code injection.
It's not perfect, but surely it's easier to audit for malicious code than closed source.
Also, there is no shortage of volunteers looking out for code changes in established open source software. I think it's fair to exclude software that is very new and/or that has no users, which may be closer to equal footing with proprietary software.
Even for established proprietary software, you get volunteers watching out for changes in releases. Though, far less than open source, and more reserved for people who know reverse engineering.
abc123abc123 20 hours ago [-]
You'd better read it again, because that claim does not figure in that text. You might mean that with more eyes on the code, more bugs are found, than with no eyes on the code. But that is not what you are saying here.
rectang 18 hours ago [-]
Here is the relevant quote from _The Cathedral and the Bazaar_[1], which was given the name _Linus's Law_[2] in honor of Linus Torvalds:
> You've been living on such a principle? That sounds insane
Fun fact, I've spent the last few days fretting over whether to add H2 to my FabricMC mod. The problem being that I don't know what class-loading shenanigans could possibly occur if I jar-in-jar include it: what happens if another mod has H2 jar-in-jar included? Will my mod only reference its own version of H2? What implications [if any] would that have? Or will the Fabric Loader pick one? What if another mod has H2 shaded instead? Will the classes clash differently? What if, instead of jar-in-jar including it, I shade and relocate it? Does H2 or JDBC rely on reflection or services that would render it non-functional?
All recommendations point to using/creating a mod specifically for that library and depending on it. As luck would have it, one already exists on Modrinth. Except... I'm then requiring anyone who trusts my mod to also install this other mod that I have no control over. I just looked at the source code and it looks fine, but that's if you trust that the published jars are the exact result of that source code: maybe there's something malicious in the Gradle Wrapper binary. This mod could at any time become malicious and how would I detect that?
Guess what? I asked around and was summarily told to stop worrying, that it's fine. We on this website need to realise that we're a minority: NO ONE is routinely (or even occasionally) scrutinising the source code of the stuff they install from third-party websites. I have never, not once, seen anyone hash a downloaded file to check that it matches what's on the website. At the very most, I've seen people find the Github repo, see that it has a lot of stars, and then assume it's safe.
embedding-shape 17 hours ago [-]
It's worth remembering that mod development/ecosystem has a very different engineering approach compared to software engineering in companies, or even FOSS at large. If you asked around in a modding community about software development, you'd get very different responses compared to the in-house company Slack or whatever.
Defletter 17 hours ago [-]
Of course, it's a largely hobbyist venture, which also inadvertently makes it more difficult to audit. But the software engineering aspect was not really the point, just the context: the vast majority of people will just blindly install anything (regardless of whether it's open or closed source), clicking through the installation wizard, accepting the prompts for admin privileges, etc, without a care. But even within the minority of us end users who know what "open source" even means, there's a shocking amount of people who assume that an open source project is necessarily safer because, well, the source is publicly available... someone must've already done an audit, therefore it's safe.
ForOldHack 12 hours ago [-]
It does not just sound insane, it is insane...
"He reverse-engineered an actual attack.
The project contained scripts that enabled code injection and crypto-wallet theft.
His post (highly recommended):"
"The execp package (version 0.0.1) is an infamous, malicious dependency frequently used in recent supply-chain attacks and job interview scams. Threat actors embed this 9-year-old package into seemingly innocent "technical assessments" or projects. When you run npm install, it quietly executes arbitrary shell commands in the background to compromise your machine."
tuwtuwtuwtuw 21 hours ago [-]
> You've been living on such a principle?
I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.
nixosbestos 20 hours ago [-]
No, it's really not, and really hasn't been. Do people truly have such poor reasoning and logic skills?
"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in open-source software". I've literally never heard someone claim the latter.
(edit for coherency, thanks graemep)
emodendroket 6 hours ago [-]
I would say that it's not just an academic argument that's being made about what is technically possible but a stronger claim about what is likely. If the claim is just you technically _could_ do it, sure, that's true by definition.
graemep 20 hours ago [-]
I think you mean open source in the second bit in quotes.
birksherty 19 hours ago [-]
> "it is impossible to hide malware in open-source software"
No nobody said "exactly that". But many times I've seen people claiming to trust open source as it is safer and people can check and build themselves. Seen it too many times. But reality is different than what is claimed.
thwarted 18 hours ago [-]
It's safer in the same sense as if you're paranoid about your date being a serial killer, you meet them in a public venue. It doesn't mean your date isn't a serial killer, but the risk profile is different because other people can be involved/witness/have context.
You didn't use the word "safe", you used the relative term "safer", and on average, it is harder to hide ill intent in open source software, there's a greater chance it will eventually be discovered. The blast radius is larger for open source (because the barrier to using it is lower), which increases the number of people impacted, but an increase in the number of people impacted also increases the chance of discovery and motivation to address it once discovered.
emodendroket 6 hours ago [-]
I would wager a policy of only installing commercial software from well known vendors has a better success rate.
tuwtuwtuwtuw 18 hours ago [-]
I genuinely don't understand what you are trying to say.
fsflover 21 hours ago [-]
This is not the argument at all. It's just easier to discover malware in closed software.
spicyusername 20 hours ago [-]
The choice is between code you can validate and code you can't, not code that has malware and code that doesn't.
swatcoder 17 hours ago [-]
That's not a distinction that people really benefit from.
Approximately nobody can read other people's code for intent or quality, let alone to surface malware meant to be hidden in it.
For almost everyone, the only hope is that somebody else validated the code you want to use before you choose to use it and successfully interfered with its distribution upon finding an issue. That's why the culture of automatic-updating package managers and bloated dependency graphs are so dangerous and why inserting delays into package managers can make such a difference in exposure to supply chain attacks for those that are intent to use them.
It's true that open source provides the transparency that makes any kind of third-party validation possible, but closed source benefits from commercial vendors staking their brand on what they release. It's a tradeoff, not a straightforward win for one side.
spicyusername 16 hours ago [-]
That's not a distinction that people really benefit from.
Approximately nobody can read other people's code for intent or quality
I can't disagree more.
ptx 20 hours ago [-]
The problem the article is describing seems to have little to do with open source. There were GitHub repositories that had links added in their READMEs to a zip file containing compiled binaries.
GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)
doctorpangloss 14 hours ago [-]
there are numerous OSS maintainers who have turned GitHub into a religion. the maintainers of bevy and brew come to mind. it is a "curated software repository" and so much more, it's practically a way of life for these guys.
BonerWiener 19 hours ago [-]
> I have to say, the principle that open-source software can't do anything nefarious because the source is open
No is saying this.
I think you have misunderstood the principles of open source.
I'd rather be able to verify the code i am running, then it being locked down, propreitery.
I have the possibilty to audit FOSS. Cant do it for propreitery software
emodendroket 6 hours ago [-]
And how often do you do it?
nkrisc 19 hours ago [-]
Never heard of that principle. I have heard people say that if an open source project was doing something nefarious it would be easier for someone to discover it.
20 hours ago [-]
moomin 19 hours ago [-]
Ironically, one of the promises of AI: enough eyeballs.
The catch is the eyeballs can also be used to generate exploits.
ffacu 19 hours ago [-]
I think that this is becoming increasingly true only for large, well-known repositories, where the maintainers have a lot to lose by doing anything shady. I don't think the React team could get away with doing something like that, for example.
atmosx 20 hours ago [-]
Not true. If statistics offer a “measure” of reality, my guess is that “OS doing nefarious things” must fall between 0,005% and 0,007%. In any case compared to the extracted value it’s … nothing.
prmoustache 18 hours ago [-]
Why the hell do you think this is related to open-source software?
20 hours ago [-]
toofy 13 hours ago [-]
this issue was found specifically because these things are open source.
the ethos of open source is that bugs and malicious code are more likely to be spotted.
we’re discussing this on hn right now strictly because the code is open, the abusive code was found because it is open.
abusive people will make abusive software. the problem lies in the fact that despite absolutely having the resources, microsoft won’t do anything about it, not in the fact that we can see the abuse.
the problem is microsoft, yet again.
Yokohiii 20 hours ago [-]
If all projects on github were closed source with public "trust me bro" binaries the situation would be of course much better.
birksherty 19 hours ago [-]
"Trust me bro" is what people say about open source everywhere when it's not true.
Yokohiii 11 hours ago [-]
No clue what that means.
kgwxd 15 hours ago [-]
That's not a principle anyone, that knows anything about software, holds.
megous 19 hours ago [-]
What's opensource about this?
- Application.cmd or Launcher.cmd
- loader.exe or luajit.exe or another_name.exe
- random_name.cso or random_name.txt
- lua51.dll
All of the content are binaries or launcher scripts.
LtWorf 17 hours ago [-]
It held up before github became a platform for grifters and having stars attracted VCs.
djent 16 hours ago [-]
strawman
flykespice 18 hours ago [-]
The xz backdoor should've been a wake up call for everyone subscribing to the classic cargo cult that "malware can't exist in open-source software". All the payload was submitted through auditable code that was cleverly concealed from review.
mmsc 21 hours ago [-]
> Another month later, GitHub support sent me an email saying that they had removed these repositories.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
mrbluecoat 19 hours ago [-]
> I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware
...like Windows Defender? Oh, the irony :D
rkozik1989 21 hours ago [-]
People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).
junon 21 hours ago [-]
There are. Socket, Aikido, and a number of others do this all the time.
aweiher 21 hours ago [-]
Step-Security, Wiz ..
codedokode 5 hours ago [-]
This highlights the problem with legacy desktop OSes like Windows, Linux and MacOS: they allow a random program from Internet to get full access to the computer. Windows and Mac display a warning that the program might be malicious, but how is the user supposed to check it? Do Windows and MacOS developers expect every user to disassemble the program? That's just shifting responsibility instead of solving the root issue.
And Linux has no warning and no button to check the program with antivirus before running. How worse could it be?
In comparison, on Android and iOS there are sandboxes, and you can run any program relatively safely as long as you don't grant dangerous permissions and your kernel is not outdated. And even if you grant permissions, the malware still won't be able to read your browser cookies or the messages in your Matrix client.
Linux needs to be better that this. Linux seems to be built on presumption that you either download the code from official repository you trust, or write your own, and doesn't support safe execution of third-party or closed-source programs. For example, if you run proprietary software, it might scan through your data, silently collect your hardware identifiers (like motherboard serial number) to better track and identify you and Linux does not prevent this.
mittensc 5 hours ago [-]
You can use VMs for sandboxes.
Linux main feature is that you are free to do anything you want.
Linux does verify signatures for packages from official repos.
Linux has features like SELinux and AppArmor.
If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.
On iOS Apple doesn't even let you have full Firefox... That is wrong. And yet, there have always been exploits.
codedokode 5 hours ago [-]
I thought about VM but it would be pretty expensive and require lot of RAM (which is not cheap nowadays and not always upgradeable on laptops. How would you upgrade your 8 Gb MacBook?) and CPU overhead to emulate the hardware and run one more kernel. The program in VM would not be able to use OpenGL/Vulkan, access the audio card with low latency (for working with audio), connect to DBus (to interact with other software).
I actually ran Windows games like Cyberpunk in qemu on a Linux host without performance loss, but that required adding a dedicated GPU for guest and to use realtime audio, one needs to pass through an audio card into the guest.
Furthermore, the CPU already provides a "sandbox" (isolated memory) for processes. The problem is that Linux allows the program to ask the kernel to do anything.
> Linux has features like SELinux and AppArmor.
Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone" or "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)". They look like they are made to comply with some outdated standards from 80s.
The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel). Those solutions are made for server use, not for desktop, and require lot of work and programming.
> If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.
I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.
mittensc 4 hours ago [-]
> Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone"
Permissions on microphone device would work, build your own UI / virtual device or generate one with claude if you really want popups.
> "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)"."
I actually have something for this. Firewall everything blocked, domains unblocked via DNS request if I allow them.
Linux is very powerful here compared to iOS - can you block specific domains there?
> The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel).
What do you think the sandbox on ios/android is?, still a vm/namespace/container...
> require lot of work and programming.
Sure, but you learn.
> I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.
That's not true anywhere. I would not feel safe with random apks or random store entries on android OR iOS. On iOS i lived through the whole 'access a webpage to get jailbreak' phase... with no way around it since mandatory safari
So, other OSs just give you the impression of safety. And you're locked. (iOS with safari...)
On Linux you are free, up to your capabilities.
codedokode 3 hours ago [-]
How do you sandbox /proc by the way? So that the app doesn't crash due to missing /proc/self/exe link or /proc/ID/stat file, but cannot read my private information (like /proc/cmdline, /proc/mounts etc)? Things like bind mounts do not work on /proc.
I ended up with writing a FUSE-based emulation in Python, but there are lot of issues with permissions and namespaces:
- I could run my /proc emulator in the same PID namespace as the target, but in a different mount namespace so that I can mount real /proc there. This is not safe because the target could send signals or ptrace my emulator and gain access to the real /proc. Especially if it is an AI agent, they are pretty capable.
- I could run the emulator in a different mount and PID namespaces but then the emulator needs to translate PIDs into the target namespace, and for this I need to know the format of all files and where they contain PIDs and it is a pain
- running the poorly coded emulator as a root is not an option. The sandbox must work without root.
- ideally the emulator should run as a different user because Linux provides the strongest isolation for processes of different users, but in this case I won't be able to access target's /proc entries.
Also, running a program is the most basic functionality of an OS and you suggest that I need to write my own sandbox to do this because it is not included with Linux. Maybe that is why this year still is not the year of Linux on desktop.
mittensc 2 hours ago [-]
> Also, running a program is the most basic functionality of an OS and you suggest that I need to write my own sandbox to do this because it is not included with Linux. Maybe that is why this year still is not the year of Linux on desktop.
I'm saying other OSs are worse for sandboxing.
How would you achieve what you want on MacOS or Windows? (or others?), what do you think goes on behind the scenes?
I would set up a VM if i were that paranoid btw. Qemu, docker, deploy the container to it, vnc or gpu access.
Also, one question for you, since you brought up microphone, how do you defend from Microsoft/Google/Apple deciding to spy on you and access the microphone? (secret court order or who knows why in the future)
codedokode 1 hours ago [-]
It doesn't matter how bad is Windows or Mac because I do not use them.
Apple might have something made for the government. They are very cooperative and routinely remove VPN apps from the repository at the request of Russian government, probably they will happily cooperate with US government as well.
> how do you defend from Microsoft/Google/Apple deciding to spy on you
My smartphone is in airplane mode since purchase and doesn't have a SIM card. I am considering options to port an open-souce firmware like Lineage OS, patch proprietary firmware or make mix of both. However to do this I need a realistic emulator that cannot be easily detected and that emulates at least some of phone hardware so that I can see what the programs try to do and where they try to connect to. Obviously there will be no Google services and similar software, mostly open-source apps from F-Droid.
As for computer, I use Linux so I guess I am relatively safe.
mittensc 33 minutes ago [-]
Allright, so since you're using Linux and alternatives are worse... what's there to complain about?
why not put that effort into improving stuff / finding solutions?
istoleabread 5 hours ago [-]
I do not want my OS to tell me what i can and cannot do on the computer I bought, its as simple as that
codedokode 5 hours ago [-]
I did not suggest that; what I suggested was that the programs should run in sandboxes.
realusername 5 hours ago [-]
> as long as you don't grant dangerous permissions and your kernel is not outdated
There's like 2 or maybe 3 phone models in the world without an outdated kernel in Android.
And then sure, Android and iOS sandboxing is better but in the same time, the quality of the apps and the vetting is 100x worse than your average Linux distribution so I'm not sure that makes up the difference.
codedokode 4 hours ago [-]
In Linux there is no vetting. Does anyone verify proprietary AI agents like Claude Code? Software like VS Code? Games? They are distributed through random sites and cannot even be banned.
You could restrict yourself to the official repositories, but there is a limited selection of software. There are no closed-source software, like audio editing plugins, graphic editors, games, AI agents and so on. Even open-source software is often missing in official repositories.
realusername 4 hours ago [-]
There's vetting, apps like Facebook or Candy Crush would never past the most basic repository scrutiny if you made it Linux native and would never be included anywhere, even if they were made open source.
You can constrast that with the Play Store where just searching for ChatGPT brings you a fake app on top (and before you bring the appstore, it was the same there until they banned the keyword after some bad press)
And yeah it's up to you if you install something outside of repositories, it's your computer.
codedokode 4 hours ago [-]
The point is, for many use cases you need to install third-party software, including closed-source software, and I want an OS to be able to run it safely. That's the purpose of OS - allow running software.
In reality, third-party software like Docker or Node.JS typically suggests that you sudo-curl-bash the script from the Internet. How worse could it be.
astronodev 23 hours ago [-]
I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.
- This is a new repository, not a fork
- All repositories have different contributors and different names
From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.
In previous campaigns the repositories were linked to a few users. But those users had starred other users, that at the same time had also cloned other repositories with the malware. Sometimes the malicious repository had been cloned from another malicious repo, and if you listed the repositories and "friends" of that user, all were part of the botnet.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
beej71 19 hours ago [-]
I added keyoxide proofs everywhere. It's not really protection against victims using the wrong repo, but at least people who look can be certain that the person who controls my domain and website is the same person who controls that particular GitHub account.
This is a failure of malware flagging systems as well - VT should not return clean if there are any downstream files that are malicious - such as in this case.
axus 22 hours ago [-]
It will feel very spooky when they stop updating because of this essay .
codedokode 5 hours ago [-]
> Why do they delete a commit and push a new one every few hours?
Maybe they want to get into "trending" section, or to have higher position in search results (maybe Github or Google prioritizes repositories updated recently)?
Teknomadix 19 hours ago [-]
>The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt
lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.
MS Windows
anujshashimal98 5 hours ago [-]
The scary part is how easily malicious repos can blend in with legitimate open-source projects
jslakro 19 hours ago [-]
Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option
downrightmike 9 hours ago [-]
Virus total should be scanning GIthub at the least, because it is a job MS Defender can't appear to itself.
factorymoo 17 hours ago [-]
Can anyone tell me if there are similar risks installing software using Brew on macos? I would imagine so.
ttoinou 17 hours ago [-]
I got some source code leaked and added a malware on top of it. Not sure what to do with it
A “recruiter” (sometimes pretending to be a CEO/HR) contacts you.
The job looks amazing — above-market salary, remote position, paid in USD, etc.
They ask for your CV and GitHub.
They say you’re “approved for the next stage” without any real interview.
Before the call, they send you a codebase to review or modify as a “technical test.”
When I get one of these, I automatically spin up a cloned VM, and test it there, which for the most part it gets infected immediately. as I watch the VM connect to odd places ( C&C computers ) for which I add any names/IP addresses to my host file, and then spin up another cloned VM, with the adjustments to the hosts file, and watch the malware get all lonely... but once, it was able to escape the VM... so I had to scramble to disinfect both the RM and the VM, and then update, and look around for hardening tools.
Its satisfying to delete an infected VM, with a "Not this time Jack."
excalibur 13 hours ago [-]
You guys, I think maybe THIS is the Bad Place.
GL26 19 hours ago [-]
is it possible to ban them or report them ?
pydry 21 hours ago [-]
Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".
radicaldreamer 18 hours ago [-]
You can bet they’ve tried it and had a bunch of false positives, so the PM nixed it because it would be bad for business.
fastcrw 21 hours ago [-]
are there any ci/cd that controls them?
astronodev 21 hours ago [-]
[dead]
Omniloop 1 hours ago [-]
[flagged]
BLACKCRAB 10 hours ago [-]
[dead]
usman18 13 hours ago [-]
[flagged]
cyber-anderson 21 hours ago [-]
[dead]
BLACKCRAB 10 hours ago [-]
[dead]
23 hours ago [-]
schedpilot 21 hours ago [-]
damn 10k ? thats a lot, how did you get them ?
theorchid 20 hours ago [-]
Hmm. Using a script. That's explained in the article)
rambojohnson 19 hours ago [-]
the en-ghettofication of american tech, down to its very open source control projects. a digital ghetto ill maintained if at all.
doug_durham 18 hours ago [-]
There’s nothing new here. This is how open source software has been since its inception. It’s just the nature of reality.
prmoustache 18 hours ago [-]
This story is totally unrelated to open-source. There is no mention of a source let alone a license.
siva7 20 hours ago [-]
Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..
Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.
Then to the more interesting question: why now?
1. Agents, agents everywhere.
2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.
Governments just run sim farms etc. they dont need to use this kind of approach for political influece. Not to say that some dont but generally they will not be stealing accounts. (most bots involved in campaigns to get trump in his seat were not stolen accounts)
I suppose the only difference to the Big 4 is the price tag.
I guess politicians could claim to be hiring a voter research company and profess to be oblivious to the "voter hacking" schemes (hacking the voters' minds to lean whichever way the politician wants them to lean).
Like what, parties campaigning?
Legitimate projects:
https://github.com/jimmc414/onefilellm
https://github.com/jimmc414/Kosmos
https://github.com/jimmc414/cctrace
Projects using my name which I have no affiliation with or they are projects I have written that they have injected new URLs into:
https://hub.decision.ai/skills/jimmc414/benchling-integratio...
https://lobehub.com/skills/jimmc414-claude-code-plugin-marke...
https://mcpmarket.com/tools/skills/geniml-genomic-machine-le...
https://mcpmarket.com/tools/skills/biopython-for-molecular-b...
How do you find these? I don't want to search for my name on those dodgy sites, as that tells them my projects exist.
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...
https://archive.is/yAUNy
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...
Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys.
That seems somewhat unrealistic? There are many passwords you need to use as part of dev work.
I suppose that becomes a pretty strong argument for passphrases + MFA, because passphrases are much easier to type in manually. But the problem there is lots of services still have stupid/arbitrary maximum password length restrictions that make it difficult or impossible to use a sufficiently complex passphrase.
It’s very frustrating.
1PW just generated this for me: mimp-rort-jan-mon-kain-sqin
Not as much entropy as 24 random letters/digit/punctuations/capitalisation. But (for me at least) much easier to read end type in situations where copy/paste isn't available (like from my phone to my dev docker containers)
Maybe a good compromise is to use 1pw for most TOTP but keep your gmail / iCloud and a few others in an iPhone only app?
Gmail is what scares me the most. It’s basically keys to the kingdom.
We might all do well to remind F&F to print out account recovery codes, and then put some thought into where they'll be safe.
Once you have a Yubikey (preferably two, so you have a backup if you damage/lose one) - you may as well make _that_ your primary MFA method, and only use TOTP for services you can't enrol your Yubikeys on.
UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one.
Though I think there is also the option that sites can store some sort of identifier on the key, then this would not work:/
The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.
And besides that, ultimately if the computer you're using been compromised, whatever you do on that computer can be mucked about with, so while the password sits safely on the hardware, once you're logged in in the browser, the cookie is just sitting there. I guess you'd get furthest isolation with Qubes et al, but with a regular Linux installation you'd still be exposed with a hardware password manager, if the installation been compromised.
Almost all development I do, and most others, are on our projects or projects we're at least interested in, and most likely dove into, that's why we're developing in them in the first place.
In this case, it seems like the developer wasn't actually developing anything, but playing around with image generation on his time off, for fun, and ended up pulling down a random 3rd party thing and got compromised that way. Very different from "for dev" I'd say.
Besides, didn't most developer start isolating projects from each other when the first npm worms started to appear? I know I stopped running `npm install` in the same environment I do my banking, and drastically reduced the amount of random 3rd party stuff I have, still use all the same device though. Even have a Windows install on the same computer, booo!
So just waiting for the password won’t be enough
Does anyone have a description of something manageable?
I suppose the inverse would be starting with a device that offers TOTP/MFA, and then making your password-manager/vault somehow available on that same device. In either case, bringing them together makes it easier for an attacker to compromise both at the same time.
On reflection, I've never actually put my (personal) password vault on my phone, but that may be less of a conscious security stance than fulfilling a millennial stereotype, where certain tasks (like big purchases) are reserved for "a real computer."
Closest I've gotten is having my USB backup keychain in the same pocket, so I could get to it in an emergency, but it's inconveniently air-gapped.
i also force most apps on iOS to ask for face id (long press on app icon to set this).
[0] https://ente.com/auth/
use intentional spelling mistakes in your password vault, edit the password by hand. you also need to have some way of authenticating login components to be sure your running your version of login, and not a trojan login.
I think the bigger problem is using your pw manager for 2FA too.
Always open to better security, though.
The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.
The repo is still there 2+ years later and GitHub has taken no action.
If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.
I can't wait to discover the next thing to be disappointed by in a decade's time.
Also reminds me to update my fake CV.
https://reducibl.com/writing/someone-used-my-repo-to-distrib...
I've seen so many forms of malware repos working on a GitHub trends newsletter [1], mostly about crypto, NFTs, KMS, and similar stuff.
In the first runs of the project, I was so surprised by tens of malware repos that looked like trending repos. A lot of them share some common traits that made filtering feasible:
- Made by a fresh GitHub user - many created in the past few days.
- The average creation date of Stargazers accounts is very close to the repo creation date. If you take the mean time diff, those bad repos get exposed.
I reported 10s of malware repos, but then I gave up as I felt GitHub was not really doing enough to fight back. I was like... these guys don't seem to care, why should I?
God knows how many people have been abused by these malware repos on GitHub.
---
[1] https://github.com/mhadidg/gh-trends
I'm talking about 10s of repos flagged in a few hours. I don't think the volume would be that big for an expensive review.
https://github.blog/security/how-to-scan-for-vulnerabilities...
That being said, they do take action if you report the repo. So I'm guessing good users are doing the heavy lifting here with reporting. I don't believe GitHub is taking enough proactive measures, or maybe they do, but it's not working well, obviously.
https://hadid.dev/posts/github-trends/#growth-based-approach
Note: Github has 2 auth systems. OAuth, and Github Auth. OAuth lists permissions but most apps use Github Auth which does not. So that app that gives you a badge or lets you comment could asking for write permission all your repos. You have no idea.
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
Another good reason to use ublock origin!
I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.
Passkeys solve this problem but has its own usability issues.
It does not detect domains.
Meanwhile U2F/Passkeys can't possibly be abused like this.
I've never lost a password because my backpack was overly abused.
My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.
You're going to have a hard time convincing me the answer is yes.
Maybe you're not looking or maybe you're lucky.
Either way, many of us see it happen all the time there too. For GitHub especially, I almost never get the canonical repo for a project in my Google results. Phishing or innocuous, it's almost always some fork at the top and then a bunch of non-github.com sites.
Search is more or less "cooked" now, as they say. Google vs Bing vs DDG vs Kagi is mostly in the noise.
I know several people who search for important sites, click uncritically on links, and get scammed. This is not so good.
Our company constantly has phishing copies of our real pages as first results in Google. We have no ability to get them taken down. It costs us serious money every year, and hurts our customers who get swindled because Google lets some brand new domain registered yesterday come before the company that has existed for 20 years.
If you haven't seen it on google, you aren't looking hard enough.
Years ago, a friend of mine fell victim to a romance scam. Damage ~€3k. It involved fake websites of non-existing logistics companies, a fake banking site where victim could 'help' a person 'transfer funds' for them, a long chat history (over Viber or something like that, initiated through Facebook), etc.
This being a good friend, I put in some legwork, saved local copies of sites, etc. Some findings:
# It's easy to find copies of sites of the one(s) used to defraud victim. In this case, ~50. And compile a list, what's the hoster of each & where domains are registered.
# Fake banking sites are easy to determine since legitimate banks are recorded in per-country registries. Legitimate: website's security certificate (extended validation etc) indicates [bank_X], bank_X listed as such in registry of country it operates in. Not? -> fake.
For non-banking fake sites it's more difficult to tell.
# Hosting companies & domain registrars do take action. As long as you provide correct & detailed info, in such a way that it's easy for them to act on. Professional companies don't like having legal / financial liabilities sit around.
# If there's security certificates involved, informing issuer of that can remove "secure connection" from a whole batch of sites in 1 go. Makes it harder to convince future victims. (no lock icon on a banking site?!?)
# An official request could be filed with this victim's bank (passed on to recipient's bank), that would give holder of recipient account 2 options: a) return the funds, or b) have their personal details revealed to victim - for use in legal proceedings etc.
This was within EU area. Likely, recipient would be a money mule & not respond. But then you'd get money mule's full name/contact info etc (home address?)
# Police / fraud orgs etc rarely have time for this. You need to do the legwork yourself.
Ultimately, my friend decided not to pursue the matter. But in the mean time, I had caused >2/3 of those fake sites to be deleted (and all the fake banking sites I'd found), and some security certificates to be revoked. Obviously that disrupts scammer's operations to some degree (and costs them time, $$, potential victims dropped etc). So it's not like you can't do anything.
No individual person can be the superhero that saves the day on everyone's behalf. But what we can do is provide what little help or insight that we have, and then pass the issue along to others.
Perhaps all it means is that you end up doing what OP did: the "deeper" research that you mentioned plus a little post on Hacker News or elsewhere.
Even if nothing comes of it in the end, at least you'll have tried.
Where are all the training-data poisoning repositories? Those set up so the next generation LLMs will be trained to include malware in the code they generate. Isn't that the new kind of supply-chain attack that's probably happening right now?
https://news.ycombinator.com/item?id=48594733
https://pypi.org/project/prylint/
> A Rust reimplementation of pylint that produces byte-for-byte identical output — 15–2300× faster (median ~85×).
> prylint is not "inspired by" pylint. [...] Where pylint has bugs, prylint reproduces them. Where pylint crashes, prylint reports the same crash message.
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.
By now (imo), the entire web is gamed and no number can be trusted, I operate completely on a qualitative basis rather than quantitative, basically the only way I can get something out of the web. Ignore all and any numbers as any indication of anything.
It's not perfect, but surely it's easier to audit for malicious code than closed source.
Also, there is no shortage of volunteers looking out for code changes in established open source software. I think it's fair to exclude software that is very new and/or that has no users, which may be closer to equal footing with proprietary software.
Even for established proprietary software, you get volunteers watching out for changes in releases. Though, far less than open source, and more reserved for people who know reverse engineering.
> Given enough eyeballs, all bugs are shallow.
[1] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...
[2] https://en.wikipedia.org/wiki/Linus%27s_law
Fun fact, I've spent the last few days fretting over whether to add H2 to my FabricMC mod. The problem being that I don't know what class-loading shenanigans could possibly occur if I jar-in-jar include it: what happens if another mod has H2 jar-in-jar included? Will my mod only reference its own version of H2? What implications [if any] would that have? Or will the Fabric Loader pick one? What if another mod has H2 shaded instead? Will the classes clash differently? What if, instead of jar-in-jar including it, I shade and relocate it? Does H2 or JDBC rely on reflection or services that would render it non-functional?
All recommendations point to using/creating a mod specifically for that library and depending on it. As luck would have it, one already exists on Modrinth. Except... I'm then requiring anyone who trusts my mod to also install this other mod that I have no control over. I just looked at the source code and it looks fine, but that's if you trust that the published jars are the exact result of that source code: maybe there's something malicious in the Gradle Wrapper binary. This mod could at any time become malicious and how would I detect that?
Guess what? I asked around and was summarily told to stop worrying, that it's fine. We on this website need to realise that we're a minority: NO ONE is routinely (or even occasionally) scrutinising the source code of the stuff they install from third-party websites. I have never, not once, seen anyone hash a downloaded file to check that it matches what's on the website. At the very most, I've seen people find the Github repo, see that it has a lot of stars, and then assume it's safe.
"He reverse-engineered an actual attack. The project contained scripts that enabled code injection and crypto-wallet theft. His post (highly recommended):"
https://www.linkedin.com/pulse/como-identifiquei-um-golpe-em...
"The execp package (version 0.0.1) is an infamous, malicious dependency frequently used in recent supply-chain attacks and job interview scams. Threat actors embed this 9-year-old package into seemingly innocent "technical assessments" or projects. When you run npm install, it quietly executes arbitrary shell commands in the background to compromise your machine."
I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.
"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in open-source software". I've literally never heard someone claim the latter.
(edit for coherency, thanks graemep)
No nobody said "exactly that". But many times I've seen people claiming to trust open source as it is safer and people can check and build themselves. Seen it too many times. But reality is different than what is claimed.
You didn't use the word "safe", you used the relative term "safer", and on average, it is harder to hide ill intent in open source software, there's a greater chance it will eventually be discovered. The blast radius is larger for open source (because the barrier to using it is lower), which increases the number of people impacted, but an increase in the number of people impacted also increases the chance of discovery and motivation to address it once discovered.
Approximately nobody can read other people's code for intent or quality, let alone to surface malware meant to be hidden in it.
For almost everyone, the only hope is that somebody else validated the code you want to use before you choose to use it and successfully interfered with its distribution upon finding an issue. That's why the culture of automatic-updating package managers and bloated dependency graphs are so dangerous and why inserting delays into package managers can make such a difference in exposure to supply chain attacks for those that are intent to use them.
It's true that open source provides the transparency that makes any kind of third-party validation possible, but closed source benefits from commercial vendors staking their brand on what they release. It's a tradeoff, not a straightforward win for one side.
GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)
No is saying this. I think you have misunderstood the principles of open source. I'd rather be able to verify the code i am running, then it being locked down, propreitery.
I have the possibilty to audit FOSS. Cant do it for propreitery software
The catch is the eyeballs can also be used to generate exploits.
the ethos of open source is that bugs and malicious code are more likely to be spotted.
we’re discussing this on hn right now strictly because the code is open, the abusive code was found because it is open.
abusive people will make abusive software. the problem lies in the fact that despite absolutely having the resources, microsoft won’t do anything about it, not in the fact that we can see the abuse.
the problem is microsoft, yet again.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
...like Windows Defender? Oh, the irony :D
And Linux has no warning and no button to check the program with antivirus before running. How worse could it be?
In comparison, on Android and iOS there are sandboxes, and you can run any program relatively safely as long as you don't grant dangerous permissions and your kernel is not outdated. And even if you grant permissions, the malware still won't be able to read your browser cookies or the messages in your Matrix client.
Linux needs to be better that this. Linux seems to be built on presumption that you either download the code from official repository you trust, or write your own, and doesn't support safe execution of third-party or closed-source programs. For example, if you run proprietary software, it might scan through your data, silently collect your hardware identifiers (like motherboard serial number) to better track and identify you and Linux does not prevent this.
Linux main feature is that you are free to do anything you want.
Linux does verify signatures for packages from official repos.
Linux has features like SELinux and AppArmor.
If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.
On iOS Apple doesn't even let you have full Firefox... That is wrong. And yet, there have always been exploits.
I actually ran Windows games like Cyberpunk in qemu on a Linux host without performance loss, but that required adding a dedicated GPU for guest and to use realtime audio, one needs to pass through an audio card into the guest.
Furthermore, the CPU already provides a "sandbox" (isolated memory) for processes. The problem is that Linux allows the program to ask the kernel to do anything.
> Linux has features like SELinux and AppArmor.
Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone" or "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)". They look like they are made to comply with some outdated standards from 80s.
The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel). Those solutions are made for server use, not for desktop, and require lot of work and programming.
> If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.
I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.
Permissions on microphone device would work, build your own UI / virtual device or generate one with claude if you really want popups.
> "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)"."
I actually have something for this. Firewall everything blocked, domains unblocked via DNS request if I allow them.
Linux is very powerful here compared to iOS - can you block specific domains there?
> The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel).
What do you think the sandbox on ios/android is?, still a vm/namespace/container...
> require lot of work and programming.
Sure, but you learn.
> I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.
That's not true anywhere. I would not feel safe with random apks or random store entries on android OR iOS. On iOS i lived through the whole 'access a webpage to get jailbreak' phase... with no way around it since mandatory safari
So, other OSs just give you the impression of safety. And you're locked. (iOS with safari...)
On Linux you are free, up to your capabilities.
I ended up with writing a FUSE-based emulation in Python, but there are lot of issues with permissions and namespaces:
- I could run my /proc emulator in the same PID namespace as the target, but in a different mount namespace so that I can mount real /proc there. This is not safe because the target could send signals or ptrace my emulator and gain access to the real /proc. Especially if it is an AI agent, they are pretty capable.
- I could run the emulator in a different mount and PID namespaces but then the emulator needs to translate PIDs into the target namespace, and for this I need to know the format of all files and where they contain PIDs and it is a pain
- running the poorly coded emulator as a root is not an option. The sandbox must work without root.
- ideally the emulator should run as a different user because Linux provides the strongest isolation for processes of different users, but in this case I won't be able to access target's /proc entries.
Also, running a program is the most basic functionality of an OS and you suggest that I need to write my own sandbox to do this because it is not included with Linux. Maybe that is why this year still is not the year of Linux on desktop.
I'm saying other OSs are worse for sandboxing.
How would you achieve what you want on MacOS or Windows? (or others?), what do you think goes on behind the scenes?
I would set up a VM if i were that paranoid btw. Qemu, docker, deploy the container to it, vnc or gpu access.
Also, one question for you, since you brought up microphone, how do you defend from Microsoft/Google/Apple deciding to spy on you and access the microphone? (secret court order or who knows why in the future)
Apple might have something made for the government. They are very cooperative and routinely remove VPN apps from the repository at the request of Russian government, probably they will happily cooperate with US government as well.
> how do you defend from Microsoft/Google/Apple deciding to spy on you
My smartphone is in airplane mode since purchase and doesn't have a SIM card. I am considering options to port an open-souce firmware like Lineage OS, patch proprietary firmware or make mix of both. However to do this I need a realistic emulator that cannot be easily detected and that emulates at least some of phone hardware so that I can see what the programs try to do and where they try to connect to. Obviously there will be no Google services and similar software, mostly open-source apps from F-Droid.
As for computer, I use Linux so I guess I am relatively safe.
why not put that effort into improving stuff / finding solutions?
There's like 2 or maybe 3 phone models in the world without an outdated kernel in Android.
And then sure, Android and iOS sandboxing is better but in the same time, the quality of the apps and the vetting is 100x worse than your average Linux distribution so I'm not sure that makes up the difference.
You could restrict yourself to the official repositories, but there is a limited selection of software. There are no closed-source software, like audio editing plugins, graphic editors, games, AI agents and so on. Even open-source software is often missing in official repositories.
You can constrast that with the Play Store where just searching for ChatGPT brings you a fake app on top (and before you bring the appstore, it was the same there until they banned the keyword after some bad press)
And yeah it's up to you if you install something outside of repositories, it's your computer.
In reality, third-party software like Docker or Node.JS typically suggests that you sudo-curl-bash the script from the Internet. How worse could it be.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
https://news.ycombinator.com/item?id=43203158
https://timsh.org/github-scam-investigation-thousands-of-mod...
Maybe they want to get into "trending" section, or to have higher position in search results (maybe Github or Google prioritizes repositories updated recently)?
MS Windows
https://dev.to/andersoncontreira/warning-to-developers-a-new...
A “recruiter” (sometimes pretending to be a CEO/HR) contacts you. The job looks amazing — above-market salary, remote position, paid in USD, etc. They ask for your CV and GitHub. They say you’re “approved for the next stage” without any real interview. Before the call, they send you a codebase to review or modify as a “technical test.”
When I get one of these, I automatically spin up a cloned VM, and test it there, which for the most part it gets infected immediately. as I watch the VM connect to odd places ( C&C computers ) for which I add any names/IP addresses to my host file, and then spin up another cloned VM, with the adjustments to the hosts file, and watch the malware get all lonely... but once, it was able to escape the VM... so I had to scramble to disinfect both the RM and the VM, and then update, and look around for hardening tools.
Its satisfying to delete an infected VM, with a "Not this time Jack."