Never-before-seen Linux malware is “far more advanced than typical” : technology

[–] MonkderVierte@lemmy.zip 30 points 1 day ago

The usual far more advanced malware than typical.

[–] fubarx@lemmy.world 92 points 1 day ago* (last edited 1 day ago) (3 children)

If you download and install untrusted code extensions, you're screwed. Not like it's rocket-science.

[–] CosmicTurtle0@lemmy.dbzer0.com 109 points 1 day ago (2 children)

As we push more average Windows users to Linux, we need to be prepared for these users to download and run completely untrusted code.

[–] kumi@feddit.online 5 points 15 hours ago* (last edited 15 hours ago) (1 children)

Friends don't tell friends to "Just curl shiny.tool/install | sh" or "Just git clone and docker-compose up".

[–] captain_aggravated@sh.itjust.works 4 points 12 hours ago

You know, I have encountered a lot of "just pipe curl into sh" from people who absolutely should know not to do that.

[–] blackn1ght@feddit.uk 79 points 1 day ago (3 children)

Let's be honest, how many current Linux users can trust any code that they run? There's so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.

[–] kumi@feddit.online 2 points 11 hours ago* (last edited 11 hours ago)

If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.

Roughly,

High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
IDGAF: curl | sh

[–] village604@adultswim.fan 2 points 20 hours ago

Probably a bunch. But having the ability doesn't mean it's used.

[–] plateee@piefed.social 3 points 1 day ago

Oh you want this cool terminal experience? Just run:

curl https://totally-normal-website.io/installer.sh | sudo bash

[–] evol@lemmy.today 12 points 1 day ago (2 children)

its kind of crazy how much I used to use the AUR, Was just randomly running randoms peoples scripts to install packages.

[–] nutsack@lemmy.dbzer0.com 1 points 18 hours ago (1 children)

I'll probably never stop doing this. I like it too much

[–] kumi@feddit.online 2 points 14 hours ago (1 children)

https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/

There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.

You do as you wish but please don't normalize dangerous behaviour.

[–] nutsack@lemmy.dbzer0.com 2 points 14 hours ago* (last edited 14 hours ago) (1 children)

you can also try to avoid installing random fork packages with 1 vote uploaded by Steven

[–] kumi@feddit.online 1 points 13 hours ago* (last edited 13 hours ago)

Of course.

As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.

As well as botting of votes and comments.

[–] Sxan@piefed.zip 0 points 18 hours ago (1 children)

I still do. It's to pass þe time between Russian Roulette on Saturdays.

[–] evol@lemmy.today 3 points 17 hours ago

Arch is truly just a gamblers distro

[–] ragas@lemmy.ml 11 points 1 day ago (3 children)

So who can you trust?

[–] ambitiousslab@feddit.uk 33 points 1 day ago (1 children)

You can trust the software in your distro's repositories (if you run a distro with well-maintained repositories). This is because, generally only well-known software gets packaged, the packager should be familiar with both the project and the code, and everything is rebuilt on the distro's own infrastructure, to ensure that a given binary actually corresponds to the source.

It might still be possible for things to slip through, but it's certainly much safer than random programs from online.

[–] squaresinger@lemmy.world 6 points 18 hours ago

*insert obligatory xz utils reference*

[–] ZILtoid1991@lemmy.world 4 points 1 day ago

Depends on.

If you're not using your PC for highly critical applications, go high-trust mode, and read news about those who become untrustworthy.

For critical applications, always check the usernames of the developers, use software trusted by others, etc.

[–] RalfWausE@feddit.org 4 points 1 day ago (1 children)

Yourself and the code you read and understand. So as long as you don't use a system where this is possible (say 9Front and the like) you trust nothing and nobody, do careful backups and don't go on a installation spree.

[–] squaresinger@lemmy.world 4 points 18 hours ago

I fear there is no such system where this applies. The tech stack on any old netbook is so advanced and complex that there is nobody on this planet who fully understands it.

Being theoretically able to read the code is certainly better than not being able to, but it's not the same as having actually read and understood all the relevant code to the point where you can be somewhat confident that there's no backdoor in it.

(And even if someone had the time and mental capacity to do that, at some point when going through the stack you always hit a proprietary layer. Be that drivers, the bootloader, component firmware or the hardware itself.)

[–] chocrates@piefed.world 51 points 1 day ago (1 children)

Doesn't say anything about the exploits. Just talks about a command and control suite.

[–] adespoton@lemmy.ca 38 points 1 day ago* (last edited 1 day ago) (1 children)

It very clearly states that there were no exploits; the researchers stumbled across the undeployed C&C suite.

[–] chocrates@piefed.world 6 points 1 day ago

Oh I missed that line

[+] Sims@lemmy.ml -122 points 1 day ago (5 children)

"The VoidLink interface is localized for Chinese-affiliated operators, an indication that it likely originates from a Chinese-affiliated development environment."

Baha, shit propaganda.. Yes of cause it MUST be the Chinese ! I mean, it is impossible to fake an interface in another language, and we all know they are out to eat our children.. sigh..

And who says ? This is not better than the shit corps amazon, micro***p, etc, that are now identifying foreign 'threats' for the US Fascist regime. Who gave private corps the right to examine AND convict other nations - without any transparency or oversight - on a whim from their Boss.

Get away from US *unts and their insane propaganda - ASAP !!

[–] Saapas@piefed.zip 87 points 1 day ago (1 children)

Certified .ml moment

[–] TipsyMcGee@lemmy.dbzer0.com 14 points 1 day ago

The reasoning is curious: "This thing that China is credibly accused of doing is bad, therefore it cannot be China that's doing it".

[–] adespoton@lemmy.ca 81 points 1 day ago

Have you looked at the files? They were obviously generated in a Chinese-affiliated development environment, and the interface is designed for Chinese speakers. Which is exactly what they said. They very pointedly DIDN’T say that the malware was written by the Chinese government or one of their affiliates.

It’s also not in the same style as the stuff generated by the various Chinese APT groups, so is likely by some third party with Chinese connections. It’s a very methodical and thorough collection, but it wasn’t discovered via an attack — the researchers stumbled across the test environment. And that’s not something that’s likely to be the case with state actor-related groups.

[–] CeeBee_Eh@lemmy.world 13 points 1 day ago

Did you get your $0.50 for that?

[–] Zomg@piefed.world 4 points 1 day ago

Yikers lmaooo. Maybe it could.. but what if...OMG it's true? you aren't in control of your own thoughts it seems.

[–] acosmichippo@lemmy.world 11 points 1 day ago* (last edited 1 day ago)

you know, you’re right. it couldn’t have been china or russia since it’s far more advanced than typical.

[+] tidderuuf@lemmy.world -59 points 1 day ago (5 children)

With no indication that VoidLink is actively targeting machines, there’s no immediate action required by defenders, although they can obtain indicators of compromise from the Checkpoint blog post.

Don't click on the article. It's an AI regurgitated summary and internet rot site.

You're welcome.

[–] Nawor3565@lemmy.blahaj.zone 70 points 1 day ago (1 children)

Did you just call Ars Technica an "internet rot site"?

Good way to make it obvious you don't know what you're talking about without saying you don't know what you're talking about.

[–] adespoton@lemmy.ca 55 points 1 day ago

Considering Dan isn’t a bot and responds to comments in the forum, I suspect you have no clue what you’re talking about.

The sourced research he cites is also not AI generated.

[–] solrize@lemmy.ml 46 points 1 day ago (1 children)

Ars technica is usually legit.

[–] jjlinux@lemmy.zip -2 points 1 day ago

'Usually' being the operating word. It's still a media Corp owned company part of Condé Nast, like Wired.

[–] acosmichippo@lemmy.world 10 points 1 day ago

you're AI on an internet rot site.

[–] BananaIsABerry@lemmy.zip -3 points 1 day ago

Yeah! AI bad!

Give him the updoots for saying it!

Technology

Our Rules

Approved Bots