125
submitted 21 hours ago* (last edited 20 hours ago) by ikidd@lemmy.world to c/linux@lemmy.ml

Apparently there's a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there's a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.

About a dozen other projects linked in here from another developer (excuse the Reddit link): https://old.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/

all 36 comments
sorted by: hot top controversial new old
[-] Goun@lemmy.ml 5 points 3 hours ago

Why the Documents folder tho? Who expects important stuff to be there?

Now all my Linux ISOs are gone, smh

[-] pinguinu@lemmygrad.ml 5 points 9 hours ago

That simply wouldn't work in non-english machines lmao

[-] SirQuack@feddit.nl 3 points 3 hours ago

Maybe they're using xdg-dirs? That might work, won't it?

[-] atzanteol@sh.itjust.works 19 points 14 hours ago

I keep saying this curl bash pipe shit needs to stop.

[-] Goun@lemmy.ml 3 points 3 hours ago

Yes, I agree, but then, what would be an alternative?

Store it into a file, chmod it and run it? git clone the repo and run a script from it? I don't think any of those would be different, apart from having more steps most people won't even check anything.

I don't know if we can fix this while allowing people to run stuff they don't understand on their machines. Maybe community curated scripts or something, know the people who does the stuff and only run stuff made by people you already know.

I think we're running too fast, we need to chill down, idk.

[-] eager_eagle@lemmy.world 10 points 13 hours ago

good time to not have a ~/Documents and keep backups encrypted off site

[-] lka1988@lemmy.dbzer0.com 29 points 17 hours ago

...the fuck is that title? I got a headache trying to make sense of it.

[-] ikidd@lemmy.world 17 points 17 hours ago

Yah, I read it afterwards and realized I'd verbed a noun. I'm not proud of it.

[-] kurumin@linux.community 9 points 11 hours ago

Here in Lemmy you can edit titles

[-] Aatube@kbin.melroy.org 35 points 18 hours ago

Finally, Linux is popular enough to get targeted by malware!

[-] just_another_person@lemmy.world 53 points 21 hours ago

This isn't really a supply chain attack. It's more social engineering: fake users, forks, and non-verified code. They're taking advantage of the fact that most people don't use verified releases or packages code from open source projects.

GitHub is not compromised, nor sending unintended payloads.

[-] ikidd@lemmy.world 3 points 21 hours ago

Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

[-] just_another_person@lemmy.world 31 points 21 hours ago* (last edited 21 hours ago)

But that's not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.

[-] ikidd@lemmy.world 9 points 20 hours ago* (last edited 20 hours ago)

OK, fair enough, I changed the title.

[-] crystalwalrus@programming.dev 19 points 20 hours ago

Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.

Jokes on them, I don't keep shit in ~/Documents, all my goodies are on a network share mounted at ~/Netstore

[-] harsh3466@lemmy.ml 12 points 21 hours ago

Hahaha. Was about to comment nearly the same thing. My NFS share has a different mount. ~/Documents is an empty directory

[-] DaveX64@lemmy.ca 3 points 20 hours ago

I was going to say that too, ha!

[-] phoenixz@lemmy.ca 6 points 17 hours ago

Yay, finally Linux is being attacked!

And as expected it takes whole lot more than clicking on an email attachment

Always check before you curl download something!

[-] racketlauncher831@lemmy.ml 2 points 4 hours ago

No. Feel free to download shit and even attempt to run shit. Chances are they won't run because shits are compiled against glibc and my system is not.

[-] superkret@feddit.org 10 points 21 hours ago

lol, just checked. ~/Documents doesn't even exist on my machine.

[-] cralder@lemmy.world 13 points 21 hours ago
[-] oo1@lemmings.world 9 points 20 hours ago

oh oh, I'm a below average arch user. I suspect i copied most of my hoome from debian or something.

I'll rename it to Dickuments as a security feature.

[-] LandedGentry@lemmy.zip 4 points 19 hours ago

Hackers gonna wanna Netflix and chill

[-] ikidd@lemmy.world 5 points 21 hours ago

Me neither, I nuke the default freedesktop folders on an install because they clutter up my home folder. But I'd imagine we're the exception.

[-] MangoPenguin@lemmy.blahaj.zone 4 points 20 hours ago

It's an interesting thing to think about, wouldn't widespread desktop Linux malware be quite bad because of the lack of any AV/Malware detection typically used?

[-] just_another_person@lemmy.world 5 points 20 hours ago

Uhhhhh, there's plenty of that being used. From the ground up. Security scanning out the wazzzz. Those are pattern-based scanners though, and this probably wouldn't be detected because it's a blob of binary junk with a script inside. GitHub should honestly put something on their storage backends to warn users, but that's a whole ball of wax people probably don't want to get into.

[-] sylver_dragon@lemmy.world 4 points 20 hours ago

It depends on the environment. I've been in a couple of places which use Linux for various professional purposes. At one site, all systems with a network connection were required to have A/V, on-access scanning and regular system scans. So, even the Linux systems had a full A/V agent and we were in the process of rolling out EDR to all Linux based hosts when I left. That was a site where security tended to be prioritized, though much of it was also "checkbox security". At another site, A/V didn't really exist on Linux systems and they were basically black boxes on the network, with zero security oversight. Last I heard, that was finally starting to change and Linux hosts were getting the full A/V and EDR treatment. Though, that's always a long process. I also see a similar level of complacency in "the cloud". Devs spin random shit up, give it a public IP, set the VPS to a default allow and act like it's somehow secure because, "it's in the cloud". Some of that will be Linux based. And in six months to a year, it's woefully out of date, probably running software with known vulnerabilities, fully exposed to the internet and the dev who spun it up may or may not be with the company anymore. Also, since they were "agile", the documentation for the system is filed under "lol, wut?"

Overall, I think Linux systems are a mixed bag. For a long time, they just weren't targeted with normal malware. And this led to a lot of complacency. Most sites I have been at have had a few Linux systems kicking about; but, because they were "one off" systems and from a certain sense of invulnerability they were poorly updated and often lacked a secure baseline configuration. The whole "Linux doesn't get malware" mantra was used to avoid security scrutiny. At the same time, Linux system do tend to default to a more secure configuration. You're not going to get a BlueKeep type vulnerability from a default config. Still, it's not hard for someone who doesn't know any better to end up with a vulnerable system. And things like ransomware, password stealers, RATs or other basic attacks often run just fine in a user context. It's only when the attacker needs to get root that things get harder.

In a way, I'd actually appreciate a wide scale, well publicized ransomware attack on Linux systems. First off, it would show that Linux is finally big enough for attackers to care about. Second, it would provide concrete proof as to why Linux systems should be given as much attention and centrally managed/secured in the Enterprise. I know everyone hates dealing with IT for provisioning systems, and the security software sucks balls; but, given the constant barrage of attacks, those sorts of things really are needed.

this post was submitted on 16 Mar 2025
125 points (97.0% liked)

Linux

51909 readers
1076 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS