Being reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":

https://archive.is/yAUNy

> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.

[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...

• tedd4u

  today at 4:36 PM

  Strong support for the strategy of not putting your TOTP/MFA in your password manager, which has been argued on HN in the past.

  • 8cvor6j844qw_d6

    today at 5:57 PM

    > Strong support for the strategy of not putting your TOTP/MFA in your password manager

    Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.

    Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.

    A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys.

  • rolph

    today at 5:54 PM

    i would also offer, do not use the same device for everything, make sure any local connectivity has firewalled [dot]finances, and [dot]tech lab from each other and else. you should probably split your network to further isolate.

    use intentional spelling mistakes in your password vault, edit the password by hand. you also need to have some way of authenticating login components to be sure your running your version of login, and not a trojan login.

  • uncivilized

    today at 6:40 PM

    Story states he wasn't using 2FA for his 1password account at all.

  • Terr_

    today at 4:55 PM

    > putting your TOTP/MFA in your password manager

    I suppose the inverse would be starting with a device that offers TOTP/MFA, and then making your password-manager/vault somehow available on that same device. In either case, bringing them together makes it easier for an attacker to compromise both at the same time.

    On reflection, I've never actually put my (personal) password vault on my phone, but that may be less of a conscious security stance than fulfilling a millennial stereotype, where certain tasks (like big purchases) are reserved for "a real computer."

    Closest I've gotten is having my USB backup keychain in the same pocket, so I could get to it in an emergency, but it's inconveniently air-gapped.

    • rectang

      today at 5:07 PM

      As much as I like the Apple Passwords app, one of its downsides is that if I have my TOTP app on my iPhone, both passwords and TOTP live on the same device. So for many services I use Bitwarden for passwords.

  • toomuchtodo

    today at 4:56 PM

    Or using a hardware authenticator.

• giancarlostoro

  today at 5:30 PM

  If I go through the effort to view the code for something, I then compile it myself.

  • hnlmorg

    today at 5:45 PM

    What makes you think he downloaded a pre-compiled binary? The link article doesn’t explicitly say that’s what happened. It just says he downloaded software from GitHub. Which might well have been the source code that he then compiled.

> Why do they only clone new repositories, rather than popular ones? > Why do they delete a commit and push a new one every few hours?

Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.

Then to the more interesting question: why now?

1. Agents, agents everywhere.

2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.

This is just one flavour of abuse. GitHub does NOT give a shit about the scale of the malware problem.

I've seen so many forms of malware repos working on a GitHub trends newsletter [1], mostly about crypto, NFTs, KMS, and similar stuff.

In the first runs of the project, I was so surprised by tens of malware repos that looked like trending repos. A lot of them share some common traits that made filtering feasible:

- Made by a fresh GitHub user - many created in the past few days.

- The average creation date of Stargazers accounts is very close to the repo creation date. If you take the mean time diff, those bad repos get exposed.

I reported 10s of malware repos, but then I gave up as I felt GitHub was not really doing enough to fight back. I was like... these guys don't seem to care, why should I?

God knows how many people have been abused by these malware repos on GitHub.

---

[1] https://github.com/mhadidg/gh-trends

• rozab

  today at 6:28 PM

  If most malware repos are created in the last few days by a fresh user, then it sounds like GitHub is taking action against them? Or where are the old ones?

• socalgal2

  today at 6:06 PM

  Most of HN doesn't give a shit about the malware problem. They will happily click "Give XYZ App ... permission to act on your behalf" to all of their repos with zero knowledge of what permissions are being requested. Github's Auth system doesn't tell the user what permissions are being requested

  Note: Github has 2 auth systems. OAuth, and Github Auth. OAuth lists permissions but most apps use Github Auth which does not. So that app that gives you a badge or lets you comment could asking for write permission all your repos. You have no idea.

  • sieabahlpark

    today at 6:30 PM

    [dead]

> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results

Side story, this kind of thing is what made me stop using Bing.

I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"

I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.

• sureglymop

  today at 4:04 PM

  I've seen it many times on google where the phishing sites were advertised results stickied above the results they impersonate.

  Another good reason to use ublock origin!

• weird-eye-issue

  today at 1:56 PM

  This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match

  • tuetuopay

    today at 6:31 PM

    That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!

    I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.

  • StableAlkyne

    today at 2:34 PM

    I use keepass (FOSS under GPL, fully offline).

    It does not detect domains.

    • jabroni_salad

      today at 4:10 PM

      The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.

    • throawayonthe

      today at 4:25 PM

      you can have it be offline and still a browser extension (when i used keepassxc it could to that)

    • graemep

      today at 3:03 PM

      KeepassXC browser integration will do that.

  • vel0city

    today at 2:00 PM

    "Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."

    Meanwhile U2F/Passkeys can't possibly be abused like this.

    • tjoff

      today at 2:07 PM

      Yeah but the downsides of passkeys make them so much worse anyway.

      • jcattle

        today at 2:25 PM

        Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!

        • AlotOfReading

          today at 2:41 PM

          I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.

          I've never lost a password because my backpack was overly abused.

          • brendoelfrendo

            today at 2:51 PM

            That's why you keep it on your keychain and not in a spare slot on your laptop.

            • AlotOfReading

              today at 4:19 PM

              It's not possible to put a 5c nano on a keychain. They're intended to be kept in the slot at all times.

              • today at 4:33 PM

        • someguyiguess

          today at 2:38 PM

          And when your keychain gets lost then what?

          • jcattle

            today at 2:52 PM

            Then I have a backup yubikey at home for services which allow to register two keys. For other's there's still good old password+some second factor.

          • vel0city

            today at 4:26 PM

            Then I use the authenticator built into my phone. Or the authenticator built into my desktop. Or the authenticator built into my laptop. Or my other authenticator.

            My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.

            • LtWorf

              today at 5:55 PM

              https://xkcd.com/981/

          • brendoelfrendo

            today at 2:52 PM

            I open the safe where I keep my spare Yubikey. Or I use the passkey stored in my phone, or the one on my laptop. Make passkeys, put them everywhere.

    • bonoboTP

      today at 2:08 PM

      Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.

      Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.

• swatcoder

  today at 5:20 PM

  > I never see Google return phishing pages

  Maybe you're not looking or maybe you're lucky.

  Either way, many of us see it happen all the time there too. For GitHub especially, I almost never get the canonical repo for a project in my Google results. Phishing or innocuous, it's almost always some fork at the top and then a bunch of non-github.com sites.

  Search is more or less "cooked" now, as they say. Google vs Bing vs DDG vs Kagi is mostly in the noise.

• spicyusername

  today at 2:55 PM

      at least not Google
  

  Is one giant mega-corp better than any other?

  You're going to have a hard time convincing me the answer is yes.

• abc123abc123

  today at 2:54 PM

  Why would you go to your bank by first searching for it? Sounds very insecure to me. I type my banks url directly instead, or if that gets tedious, store it as a bookmark.

  I know several people who search for important sites, click uncritically on links, and get scammed. This is not so good.

• chrisweekly

  today at 2:41 PM

  speaking only to search quality: try Kagi.

• astronodev

  today at 2:00 PM

  [dead]

This is happening to me as well. I have a few moderately popular open source projects and I have found my name attached to new projects that I have nothing to do with or they are derivatives of my projects with redirection to unknown sites.

Legitimate projects:

https://github.com/jimmc414/onefilellm

https://github.com/jimmc414/Kosmos

https://github.com/jimmc414/cctrace

Projects using my name which I have no affiliation with or they are projects I have written that they have injected new URLs into:

https://hub.decision.ai/skills/jimmc414/benchling-integratio...

https://lobehub.com/skills/jimmc414-claude-code-plugin-marke...

https://mcpmarket.com/tools/skills/geniml-genomic-machine-le...

https://mcpmarket.com/tools/skills/biopython-for-molecular-b...

I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.

• spicyusername

  today at 2:53 PM

  The choice is between code you can validate and code you can't, not code that has malware and code that doesn't.

  • swatcoder

    today at 5:27 PM

    That's not a distinction that people really benefit from.

    Approximately nobody can read other people's code for intent or quality, let alone to surface malware meant to be hidden in it.

    For almost everyone, the only hope is that somebody else validated the code you want to use before you choose to use it and successfully interfered with its distribution upon finding an issue. That's why the culture of automatic-updating package managers and bloated dependency graphs are so dangerous and why inserting delays into package managers can make such a difference in exposure to supply chain attacks for those that are intent to use them.

    It's true that open source provides the transparency that makes any kind of third-party validation possible, but closed source benefits from commercial vendors staking their brand on what they release. It's a tradeoff, not a straightforward win for one side.

    • spicyusername

      today at 6:36 PM

          That's not a distinction that people really benefit from.
      
          Approximately nobody can read other people's code for intent or quality
      

      I can't disagree more.

• embedding-shape

  today at 1:46 PM

  > the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons

  You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?

  The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?

  • emodendroket

    today at 1:48 PM

    No, I've not been "living on" such a principle but it was a big claim for "the bazaar."

    • embedding-shape

      today at 1:50 PM

      Aha, wasn't that argument more about that closed source software is more likely to hide stuff you don't agree with, than FOSS? Not necessarily that FOSS won't have any viruses or malware, but it's at least less likely. That was my take away, but long time ago I read the book admittedly, I might misremember or transformed it automagically over time.

      • CapsAdmin

        today at 2:09 PM

        This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.

        The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.

        • jankdc

          today at 2:38 PM

          > source code open makes it auditable, if not by you, maybe the community

          I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.

          • embedding-shape

            today at 6:06 PM

            I don't know, I feel like the "numbers" like upvotes, stars, favorites or whatever stops working for me the second I see it being obviously gamed, and when there is a ton of services for buying "higher $number". GitHub stars probably stopped mattering around 2016-17 sometime, I think that's the first time I came across one of those "increase $number" services.

            By now (imo), the entire web is gamed and no number can be trusted, I operate completely on a qualitative basis rather than quantitative, basically the only way I can get something out of the web. Ignore all and any numbers as any indication of anything.

    • abc123abc123

      today at 2:53 PM

      You'd better read it again, because that claim does not figure in that text. You might mean that with more eyes on the code, more bugs are found, than with no eyes on the code. But that is not what you are saying here.

      • rectang

        today at 4:54 PM

        Here is the relevant quote from _The Cathedral and the Bazaar_[1], which was given the name _Linus's Law_[2] in honor of Linus Torvalds:

        > Given enough eyeballs, all bugs are shallow.

        [1] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...

        [2] https://en.wikipedia.org/wiki/Linus%27s_law

  • Defletter

    today at 3:48 PM

    > You've been living on such a principle? That sounds insane

    Fun fact, I've spent the last few days fretting over whether to add H2 to my FabricMC mod. The problem being that I don't know what class-loading shenanigans could possibly occur if I jar-in-jar include it: what happens if another mod has H2 jar-in-jar included? Will my mod only reference its own version of H2? What implications [if any] would that have? Or will the Fabric Loader pick one? What if another mod has H2 shaded instead? Will the classes clash differently? What if, instead of jar-in-jar including it, I shade and relocate it? Does H2 or JDBC rely on reflection or services that would render it non-functional?

    All recommendations point to using/creating a mod specifically for that library and depending on it. As luck would have it, one already exists on Modrinth. Except... I'm then requiring anyone who trusts my mod to also install this other mod that I have no control over. I just looked at the source code and it looks fine, but that's if you trust that the published jars are the exact result of that source code: maybe there's something malicious in the Gradle Wrapper binary. This mod could at any time become malicious and how would I detect that?

    Guess what? I asked around and was summarily told to stop worrying, that it's fine. We on this website need to realise that we're a minority: NO ONE is routinely (or even occasionally) scrutinising the source code of the stuff they install from third-party websites. I have never, not once, seen anyone hash a downloaded file to check that it matches what's on the website. At the very most, I've seen people find the Github repo, see that it has a lot of stars, and then assume it's safe.

    • embedding-shape

      today at 5:37 PM

      It's worth remembering that mod development/ecosystem has a very different engineering approach compared to software engineering in companies, or even FOSS at large. If you asked around in a modding community about software development, you'd get very different responses compared to the in-house company Slack or whatever.

      • Defletter

        today at 5:59 PM

        Of course, it's a largely hobbyist venture, which also inadvertently makes it more difficult to audit. But the software engineering aspect was not really the point, just the context: the vast majority of people will just blindly install anything (regardless of whether it's open or closed source), clicking through the installation wizard, accepting the prompts for admin privileges, etc, without a care. But even within the minority of us end users who know what "open source" even means, there's a shocking amount of people who assume that an open source project is necessarily safer because, well, the source is publicly available... someone must've already done an audit, therefore it's safe.

  • tuwtuwtuwtuw

    today at 1:51 PM

    > You've been living on such a principle?

    I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.

    • nixosbestos

      today at 2:49 PM

      No, it's really not, and really hasn't been. Do people truly have such poor reasoning and logic skills?

      "Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in open-source software". I've literally never heard someone claim the latter.

      (edit for coherency, thanks graemep)

      • graemep

        today at 3:02 PM

        I think you mean open source in the second bit in quotes.

      • birksherty

        today at 3:31 PM

        > "it is impossible to hide malware in open-source software"

        No nobody said "exactly that". But many times I've seen people claiming to trust open source as it is safer and people can check and build themselves. Seen it too many times. But reality is different than what is claimed.

        • thwarted

          today at 4:56 PM

          It's safer in the same sense as if you're paranoid about your date being a serial killer, you meet them in a public venue. It doesn't mean your date isn't a serial killer, but the risk profile is different because other people can be involved/witness/have context.

          You didn't use the word "safe", you used the relative term "safer", and on average, it is harder to hide ill intent in open source software, there's a greater chance it will eventually be discovered. The blast radius is larger for open source (because the barrier to using it is lower), which increases the number of people impacted, but an increase in the number of people impacted also increases the chance of discovery and motivation to address it once discovered.

      • tuwtuwtuwtuw

        today at 4:57 PM

        I genuinely don't understand what you are trying to say.

    • fsflover

      today at 2:00 PM

      This is not the argument at all. It's just easier to discover malware in closed software.

• ptx

  today at 2:35 PM

  The problem the article is describing seems to have little to do with open source. There were GitHub repositories that had links added in their READMEs to a zip file containing compiled binaries.

  GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)

• BonerWiener

  today at 4:00 PM

  > I have to say, the principle that open-source software can't do anything nefarious because the source is open

  No is saying this. I think you have misunderstood the principles of open source. I'd rather be able to verify the code i am running, then it being locked down, propreitery.

  I have the possibilty to audit FOSS. Cant do it for propreitery software

• nkrisc

  today at 4:13 PM

  Never heard of that principle. I have heard people say that if an open source project was doing something nefarious it would be easier for someone to discover it.

• moomin

  today at 3:23 PM

  Ironically, one of the promises of AI: enough eyeballs.

  The catch is the eyeballs can also be used to generate exploits.

• today at 2:36 PM

• prmoustache

  today at 4:53 PM

  Why the hell do you think this is related to open-source software?

• atmosx

  today at 2:19 PM

  Not true. If statistics offer a “measure” of reality, my guess is that “OS doing nefarious things” must fall between 0,005% and 0,007%. In any case compared to the extracted value it’s … nothing.

• ffacu

  today at 3:37 PM

  I think that this is becoming increasingly true only for large, well-known repositories, where the maintainers have a lot to lose by doing anything shady. I don't think the React team could get away with doing something like that, for example.

• today at 2:56 PM

• Yokohiii

  today at 2:34 PM

  If all projects on github were closed source with public "trust me bro" binaries the situation would be of course much better.

  • birksherty

    today at 3:35 PM

    "Trust me bro" is what people say about open source everywhere when it's not true.

• megous

  today at 3:58 PM

  What's opensource about this?

    - Application.cmd or Launcher.cmd
    - loader.exe or luajit.exe or another_name.exe
    - random_name.cso or random_name.txt
    - lua51.dll
  

  All of the content are binaries or launcher scripts.

• LtWorf

  today at 5:56 PM

  It held up before github became a platform for grifters and having stars attracted VCs.

• flykespice

  today at 4:35 PM

  The xz backdoor should've been a wake up call for everyone subscribing to the classic cargo cult that "malware can't exist in open-source software". All the payload was submitted through auditable code that was cleverly concealed from review.

I uploaded a sample found here (https://github.com/alexct142010-cell/McBackuper ) to Genus Codes (need an account): https://genuscodes.com/results/7ad4b911d05a12f91ab27ba3baa35... Seems to be related to the disco trojan family, by way of normalized function matching at 50% to malicious file https://genuscodes.com/results/eddbc29db4677e00c1a901aadbadb... and a normalized 50% match to https://genuscodes.com/results/fdb6cff68a2a8c08779d64a7cf61d...

Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...

> Why do they delete a commit and push a new one every few hours?

May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.

• philistine

  today at 3:41 PM

  Bingo!

I reported a repo containing obvious nulled software to GitHub in February 2024.

The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.

The repo is still there 2+ years later and GitHub has taken no action.

If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.

• xantronix

  today at 5:07 PM

  GitHub is so close to becoming SourceForge. In order to become the scum-infested cesspool it truly longs to be, Microsoft needs to relentlessly serve ads on GitHub. Then, the cycle will once again be complete.

  I can't wait to discover the next thing to be disappointed by in a decade's time.

It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.

• dentemple

  today at 3:39 PM

  This is what a community is for!

  No individual person can be the superhero that saves the day on everyone's behalf. But what we can do is provide what little help or insight that we have, and then pass the issue along to others.

  Perhaps all it means is that you end up doing what OP did: the "deeper" research that you mentioned plus a little post on Hacker News or elsewhere.

  Even if nothing comes of it in the end, at least you'll have tried.

People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).

• junon

  today at 1:50 PM

  There are. Socket, Aikido, and a number of others do this all the time.

  • aweiher

    today at 2:13 PM

    Step-Security, Wiz ..

A year ago a similar attack was reported and I think that there have been similar campaigns reported this year: https://github.com/evilsocket/opensnitch/discussions/1290#di...

  - This is a new repository, not a fork
  - All repositories have different contributors and different names
  From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.

Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.

> Another month later, GitHub support sent me an email saying that they had removed these repositories.

I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.

I reported it to GitHub and it was removed within 24 hours.

I discovered another repository like this, and they still haven't replied since (one month).

No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)

• mrbluecoat

  today at 3:24 PM

  > I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware

  ...like Windows Defender? Oh, the irony :D

Can anyone tell me if there are similar risks installing software using Brew on macos? I would imagine so.

This is a failure of malware flagging systems as well - VT should not return clean if there are any downstream files that are malicious - such as in this case.

I got some source code leaked and added a malware on top of it. Not sure what to do with it

I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.

I added keyoxide proofs everywhere. It's not really protection against victims using the wrong repo, but at least people who look can be certain that the person who controls my domain and website is the same person who controls that particular GitHub account.

>The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.

MS Windows

It will feel very spooky when they stop updating because of this essay .

Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option

is it possible to ban them or report them ?

are there any ci/cd that controls them?

• astronodev

  today at 1:53 PM

  [dead]

damn 10k ? thats a lot, how did you get them ?

• theorchid

  today at 2:29 PM

  Hmm. Using a script. That's explained in the article)

Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".

• radicaldreamer

  today at 4:53 PM

  You can bet they’ve tried it and had a bunch of false positives, so the PM nixed it because it would be bad for business.

[dead]

the en-ghettofication of american tech, down to its very open source control projects. a digital ghetto ill maintained if at all.

• doug_durham

  today at 4:48 PM

  There’s nothing new here. This is how open source software has been since its inception. It’s just the nature of reality.

  • prmoustache

    today at 4:58 PM

    This story is totally unrelated to open-source. There is no mention of a source let alone a license.

Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..