Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

abobla@lemm.ee · edit-2 9 hours ago

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

HelloRoot@lemy.lol · 4 hours ago

Aaah finally, malware for Linux, truly the year of the Linux Desktop!

Ahrotahntee@lemmy.ca · 4 hours ago

We made it! I never thought I’d live to see this day!

OctaviaMeowzly@lemmy.blahaj.zone · 5 hours ago

Halloween documents pt 2

CptKrkIsClmbngThMntn [any]@hexbear.net · 5 hours ago

The one, fool-proof solution to supply chain attacks? Write all your own dependencies.

sping@lemmy.sdf.org · 3 hours ago

That seems to be the Go way. Why put it in a library when everyone can just re-implement it themselves (and test and document it too, right? Right?).

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map. And then people try to paint this as a virtue of the language.

CptKrkIsClmbngThMntn [any]@hexbear.net · 2 hours ago

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map.

Goooood fucking gravy.

I hate to be such an opinionated programmer, but everything I’ve read about Go only reinforces my negative opinion, especially since I read this now-famous article.

abobla@lemm.ee · 5 hours ago

I’m already writing my own dependency to check if a number is even:

if (number == 0) return true
if (number == 1) return false
if (number == 2) return true
if (number == 3) return false

I’m almost there!

CptKrkIsClmbngThMntn [any]@hexbear.net · 4 hours ago

You’ve probably covered 90% of use cases there so you’re doing well!

I’m trying to port your code to Rust but the compiler keeps giving me an error about non-exhaustive match arms

Kazumara@discuss.tchncs.de · 4 hours ago

It’s quite cruel of that compiler not being happy until you’re exhausted.

abobla@lemm.ee · 4 hours ago

this is so sad, I’m gonna pray for you in rust

CptKrkIsClmbngThMntn [any]@hexbear.net · 2 hours ago

Assuming you’re monotheistic, I believe you can use an mpsc channel to send those asynchronously.

vegetvs@kbin.earth · 7 hours ago

The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

This is absolutely not just specific to Go.

blobjim [he/him]@hexbear.net · edit-2 5 hours ago

That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?

Not that an attack like this is unique or anything.

krakenfury@lemmy.sdf.org · 6 hours ago

PyPi
npm
Maven Central
Docker Hub
Artifact Hub
PPA
AUR

The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.

UnfortunateShort@lemmy.world · 7 hours ago

Any intel on affected, high-profile software?

MoonMelon@lemmy.ml · 4 hours ago

I found the original blog post more educational.

Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.

catloaf@lemm.ee · 3 hours ago

The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.

fluxion@lemmy.world · 8 hours ago

This is why we can’t have nice things