wget to Wipeout: Malicious Go Modules Fetch Destructive Payload (socket.dev)
from cm0002@lemmy.world to golang@programming.dev on 06 May 13:43
https://lemmy.world/post/29217936

#golang

threaded - newest

starshipwinepineapple@programming.dev on 06 May 15:51 next collapse

Interesting that it sounds like it is immediately overwriting the whole primary drive rather than trying to exfiltrate any data (or anything else) first

sxan@midwest.social on 06 May 19:21 collapse

I took a decidedly minimalist dependency stance a while ago, and I’m glad about it. It’s hard; you also don’t want to be writing bespoke libraries for everything, but what really got me on this kick was viper and cobra. Using cobra adds 32,400 LOC to your project. To parse flags. 19,600 of those are in cobra’s dependencies, which - of course, you also have to vet.

Especially when I’m writing libraries myself, I go to fairly extreme lengths to have an empty go.mod; at least my users only have to audit my project, and not some branching nest of dependencies.