thurstylark@lemm.ee
on 30 Mar 2024 06:24
nextcollapse
Me: fixes exposure to vuln
Also me: grabs popcorn
This is going to be an interesting story once this all quiets down…
Bitrot@lemmy.sdf.org
on 30 Mar 2024 06:37
nextcollapse
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
brunacho@scribe.disroot.org
on 30 Mar 2024 13:10
nextcollapse
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
Bitrot@lemmy.sdf.org
on 30 Mar 2024 15:53
collapse
Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.
It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.
Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.
NotMyOldRedditName@lemmy.world
on 30 Mar 2024 16:42
collapse
What about finding someone like this and then blackmailing them?
That would be cheaper
SMillerNL@lemmy.world
on 30 Mar 2024 17:30
collapse
steal_your_face@lemmy.ml
on 30 Mar 2024 16:16
nextcollapse
Happy it doesn’t affect stable versions
delirious_owl@discuss.online
on 31 Mar 2024 15:00
nextcollapse
Did they intentionally not put the package name in the headline just to draw more clicks? Ffs
annata20@discuss.tchncs.de
on 31 Jul 2024 05:00
collapse
CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.
threaded - newest
Me: fixes exposure to vuln
Also me: grabs popcorn
This is going to be an interesting story once this all quiets down…
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
It’s also at git.tukaani.org.
Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.
<img alt="" src="https://lemmy.world/pictrs/image/3eaa7d84-bad5-4d4c-a9f4-19a43bacdb99.png">
It says F39 users are not affected. Are you running Rawhide/F40 Beta? p
Running Arch, so not really exposed, but still had a compromised version installed.
Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.
It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.
This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience
Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.
What about finding someone like this and then blackmailing them?
That would be cheaper
xkcd.com/538/
Lol, too true. It’s either that or honeytraps
Mandatory XKCD: Dependency
actual link xkcd.com/2347/
Happy it doesn’t affect stable versions
Did they intentionally not put the package name in the headline just to draw more clicks? Ffs
CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.