Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

abobla@lemm.ee · edit-2 13 hours ago

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

HelloRoot@lemy.lol · 8 hours ago

Aaah finally, malware for Linux, truly the year of the Linux Desktop!

Ahrotahntee@lemmy.ca · 8 hours ago

We made it! I never thought I’d live to see this day!

OctaviaMeowzly@lemmy.blahaj.zone · 9 hours ago

Halloween documents pt 2

CptKrkIsClmbngThMntn [any]@hexbear.net · 10 hours ago

The one, fool-proof solution to supply chain attacks? Write all your own dependencies.

sping@lemmy.sdf.org · 7 hours ago

That seems to be the Go way. Why put it in a library when everyone can just re-implement it themselves (and test and document it too, right? Right?).

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map. And then people try to paint this as a virtue of the language.

CptKrkIsClmbngThMntn [any]@hexbear.net · 6 hours ago

E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map.

Goooood fucking gravy.

I hate to be such an opinionated programmer, but everything I’ve read about Go only reinforces my negative opinion, especially since I read this now-famous article.

sping@lemmy.sdf.org · 4 hours ago

I have decades as a SWE, including deep (but now out-of-date) C++ experience, a lot more recently in serious Python systems, and a fair amount of web UI dev on the side.

Now I have 1 year with Go. I came to it with an open mind having heard people sing its praises I thought it would be broadening to spend some time with a language new to me.

My advice now is do anything you can to avoid working in golang. Almost daily, I seriously contemplate whether it’d be worth quitting and being unemployed, even in this economy (US). It is a better C, but that’s a low, low bar at least for the project domains I ever work in. Where it’s an even plausible answer, Rust is probably a better one (I think? - haven’t used Rust for anything real).

abobla@lemm.ee · 9 hours ago

I’m already writing my own dependency to check if a number is even:

if (number == 0) return true
if (number == 1) return false
if (number == 2) return true
if (number == 3) return false

I’m almost there!

CptKrkIsClmbngThMntn [any]@hexbear.net · 8 hours ago

You’ve probably covered 90% of use cases there so you’re doing well!

I’m trying to port your code to Rust but the compiler keeps giving me an error about non-exhaustive match arms

Kazumara@discuss.tchncs.de · 8 hours ago

It’s quite cruel of that compiler not being happy until you’re exhausted.

abobla@lemm.ee · 8 hours ago

this is so sad, I’m gonna pray for you in rust

CptKrkIsClmbngThMntn [any]@hexbear.net · 6 hours ago

Assuming you’re monotheistic, I believe you can use an mpsc channel to send those asynchronously.

vegetvs@kbin.earth · 11 hours ago

The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

This is absolutely not just specific to Go.

blobjim [he/him]@hexbear.net · edit-2 9 hours ago

That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?

Not that an attack like this is unique or anything.

addie@feddit.uk · 7 hours ago

CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.

krakenfury@lemmy.sdf.org · 11 hours ago

PyPi
npm
Maven Central
Docker Hub
Artifact Hub
PPA
AUR

The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.

UnfortunateShort@lemmy.world · 11 hours ago

Any intel on affected, high-profile software?

MoonMelon@lemmy.ml · 8 hours ago

I found the original blog post more educational.

Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.

catloaf@lemm.ee · 7 hours ago

The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.

fluxion@lemmy.world · 12 hours ago

This is why we can’t have nice things