Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack (thehackernews.com)
from abobla@lemm.ee to linux@lemmy.ml on 05 May 10:33
https://lemm.ee/post/63108096

Packages:

#linux

threaded - newest

fluxion@lemmy.world on 05 May 11:21 next collapse

This is why we can’t have nice things

UnfortunateShort@lemmy.world on 05 May 11:56 next collapse

Any intel on affected, high-profile software?

MoonMelon@lemmy.ml on 05 May 15:27 collapse

I found the original blog post more educational.

Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.

catloaf@lemm.ee on 05 May 15:55 collapse

The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.

dubyakay@lemmy.ca on 06 May 14:38 collapse
vegetvs@kbin.earth on 05 May 12:00 next collapse

The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

This is absolutely not just specific to Go.

krakenfury@lemmy.sdf.org on 05 May 12:55 next collapse

  • PyPi
  • npm
  • Maven Central
  • Docker Hub
  • Artifact Hub
  • PPA
  • AUR

The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.

FurryMemesAccount@lemmy.blahaj.zone on 06 May 09:19 collapse

Cargo also has a –git option but I suppose it’s not default behavior

krakenfury@lemmy.sdf.org on 06 May 12:45 collapse

Sure! My point is that hosting doesn’t really matter, though. Malware and vulnerabilities are introduced at all points of supply chains.

FurryMemesAccount@lemmy.blahaj.zone on 06 May 13:38 collapse

I agree, I was just giving another example to raise awareness about that feature of rust.

blobjim@hexbear.net on 05 May 14:28 collapse

That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?

Not that an attack like this is unique or anything.

addie@feddit.uk on 05 May 15:59 collapse

CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.

CptKrkIsClmbngThMntn@hexbear.net on 05 May 13:55 next collapse

The one, fool-proof solution to supply chain attacks? Write all your own dependencies. <img alt="meow-coffee" src="https://hexbear.net/api/v3/image_proxy?url=https%3A%2F%2Fchapo.chat%2Fpictrs%2Fimage%2Fe4c1e8ae-5634-4f87-a129-0bda89187e58.png">

abobla@lemm.ee on 05 May 14:33 next collapse

I’m already writing my own dependency to check if a number is even:

if (number == 0) return true
if (number == 1) return false
if (number == 2) return true
if (number == 3) return false

I’m almost there!

CptKrkIsClmbngThMntn@hexbear.net on 05 May 15:21 collapse

You’ve probably covered 90% of use cases there so you’re doing well!

I’m trying to port your code to Rust but the compiler keeps giving me an error about non-exhaustive match arms <img alt="sadness" src="https://hexbear.net/api/v3/image_proxy?url=https%3A%2F%2Fchapo.chat%2Fpictrs%2Fimage%2F3de7432c-5d0b-441d-9167-0c61cc3838ab.png">

abobla@lemm.ee on 05 May 15:37 next collapse

this is so sad, I’m gonna pray for you in rust

CptKrkIsClmbngThMntn@hexbear.net on 05 May 17:32 collapse

Assuming you’re monotheistic, I believe you can use an mpsc channel to send those asynchronously.

Kazumara@discuss.tchncs.de on 05 May 15:51 collapse

It’s quite cruel of that compiler not being happy until you’re exhausted.

sping@lemmy.sdf.org on 05 May 16:15 collapse

That seems to be the Go way. Why put it in a library when everyone can just re-implement it themselves (and test and document it too, right? Right?).

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map. And then people try to paint this as a virtue of the language.

CptKrkIsClmbngThMntn@hexbear.net on 05 May 17:37 collapse

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map.

Goooood fucking gravy.

I hate to be such an opinionated programmer, but everything I’ve read about Go only reinforces my negative opinion, especially since I read this now-famous article.

sping@lemmy.sdf.org on 05 May 19:16 collapse

I have decades as a SWE, including deep (but now out-of-date) C++ experience, a lot more recently in serious Python systems, and a fair amount of web UI dev on the side.

Now I have 1 year with Go. I came to it with an open mind having heard people sing its praises I thought it would be broadening to spend some time with a language new to me.

My advice now is do anything you can to avoid working in golang. Almost daily, I seriously contemplate whether it’d be worth quitting and being unemployed, even in this economy (US). It is a better C, but that’s a low, low bar at least for the project domains I ever work in. Where it’s an even plausible answer, Rust is probably a better one (I think? - haven’t used Rust for anything real).

CptKrkIsClmbngThMntn@hexbear.net on 05 May 19:34 collapse

Oooof, good to know. I have a bit more of a low level C brain at root so I see the appeal of Go, but never had enough of a reason to get into C++. I’ve only really used C# and JS/JS frameworks professionally.

Rust is an absolute joy to work with. The strong typing, the hands-on memory management, the functional elements, the build system, the helpful compiler errors and warnings, the magical feeling that comes when your first successful compile since refactoring just works, the queer-friendly community… just the perfect language for the way my brain operates.

I’m lucky to be unemployed at the moment and have time to make my own projects with tools of my choosing. There are definitely some barriers to using it in most workplaces, but most of those come down to adoption inertia and the fact that the language is still “new” - new in the sense that it’s not mature enough to have a mature enough frontend framework that has a mature enough third party component library for easy plug and play. Filling out all the corners that older languages have is gonna take a while.

OctaviaMeowzly@lemmy.blahaj.zone on 05 May 14:20 next collapse

Halloween documents pt 2

HelloRoot@lemy.lol on 05 May 15:29 next collapse

Aaah finally, malware for Linux, truly the year of the Linux Desktop!

Ahrotahntee@lemmy.ca on 05 May 15:50 next collapse

We made it! I never thought I’d live to see this day!

FriendBesto@lemmy.ml on 12 May 05:46 collapse

Notice me Hacker Senpai!

[deleted] on 06 May 08:57 next collapse

.

tomatoely@sh.itjust.works on 06 May 14:37 collapse

If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post