204

Over 100,000 Infected Repos Found on GitHub (apiiro.com)

submitted 4 months ago by Zerush@lemmy.ml to c/opensource@lemmy.ml

26 comments fedilink hide all child comments

all 27 comments

sorted by: hot top controversial new old

[-] kittykittycatboys@lemmy.blahaj.zone 85 points 4 months ago

remember kids, always use git condom

[-] QuandaleDingle@lemmy.world 8 points 4 months ago

XD had me rollin'!

[-] baconman1945@lemmy.world 6 points 4 months ago

Sorry, I’m new here and to Linux. I’ve read a little about git versioning, but I don’t get the joke. Can someone provide some insight?

[-] QuandaleDingle@lemmy.world 9 points 4 months ago* (last edited 4 months ago)

Yeah, you can push and pull code to your repository with git. With this joke, you use the condom to stop all operations. XDXDXD

[-] baconman1945@lemmy.world 3 points 4 months ago

lol, got it. Thanks

[-] bort@sopuli.xyz 39 points 4 months ago

I don't see how "scammers creating scam repos" [2] is newsworthy at all. At least the headline seems like a big nothing-burger to me.

farther down in the article are 2 interesting informations, namely this diagram [1] and the fact that scammers seem to have moved from pip to github, and then started to use forks to make their scam-clones appear more believable.

[1] https://apiiro.com/wp-content/uploads/2024/02/Malicious-Package-Timeline.png

[2] 1000 guys make 1000 clones of 1000 legit libraries, and than create 1000 forks of their clones, to make them seem more legit than the original lib. 999 of each 1000 clones get autofiltered by github

--> 100010001000*1000/1000 = 1.000.000.000 infected repos(inkluding forks) and 1.000.000 (wihout forks).

so the number of 100.000 infected repos doesn't seem to be interesting or unexpected in any way.

[-] delirious_owl@discuss.online 17 points 4 months ago

Friends dont let friends install software that isn't signed.

Use apt.

[-] Pantherina@feddit.de 12 points 4 months ago* (last edited 4 months ago)

Lol apt

Or to frame it differently, use a package manager and not appimages etc.

[-] delirious_owl@discuss.online 3 points 4 months ago

AppImages actually do have (optional) support for signatures.

[-] Pantherina@feddit.de 2 points 4 months ago

They have no update feature afaik, how does this work? What verified this signature, the user?

[-] delirious_owl@discuss.online 2 points 4 months ago

Its a subcommand of the AppImage. The developer adds the signature to the AppImage and the user verifies it after download with the subcommand.

[-] Pantherina@feddit.de 1 points 4 months ago

Thats nice, didnt even know there was an interface for managing appimages?

[-] andreas@lemmy.korfmann.xyz 3 points 4 months ago

I mean, yeah but not everything is available over apt. I try to use it whenever I can though

[-] Amaterasu@lemmy.world 17 points 4 months ago* (last edited 4 months ago)

Do we see this very often with APK repos? I mean, for those using Obtainium to download apps from Github can one get malware via malicious apks?

[-] Creat@discuss.tchncs.de 5 points 4 months ago

Of course you can. The actual question is: do you trust the author(s) of the repositories you're pulling the APKs from? Including that they are keeping the repo secure from malicious influences? If the answer is "no", then you shouldn't add the repo, obviously. Every repository acts as an individual trust anchor. Unlike F-Droid or the play store, where the store itself acts as the trust anchor (or should, at least)

To be clear, I'm using obtainium for quite a few apps, but I'm rather rather careful which I add there and what apps I'm getting elsewhere.

[-] erAck@discuss.tchncs.de 2 points 4 months ago

If you installed the original legit package it can't be updated with such fake one (without uninstalling and installing the bad one) as the signatures won't match. If you initially install the bad package then yes of course.

[-] Quereller@lemmy.one 1 points 4 months ago

If possible I get the Git repo from the F-Droid entry for this app. And I usually look at the activities and commits. I hope that helps.

[-] Zerush@lemmy.ml 1 points 4 months ago

You can get malware with the download of any soft, independent of it is FOSS or not. The clue is that it is for crackers easier to infect OpenSource if the soft has a deficient maintenance or it is abandoned, as is seen a lot on GitHub with apps that have not been updated for several years, like sadly this one, which was a very good app.

There is a lot of misunderstanding regarding OpenSource, the meaning of this type of software is to allow collaborative development, not limited to a small group of a company's developers, as in the case of proprietary software, but as many believe, OpenSource is not a guarantee of security or privacy at all, this depends solely on the intentions of the author (not all of these are good guys) of this and that, as I said, that the software has maintenance and if possible an active community. Nothing worse than an abandoned and outdated OpenSorce, worse than an outdated proprietary soft.

It is essential in GitHub or another Git, to look at when it was last updated and, as in the case of any software, to review it with an AV before using or installing it and ALWAYS read the PP and TOS.

[-] delirious_owl@discuss.online -2 points 4 months ago

No, apt has signatures and a team of maintainers whose job it is to verify the packages match what the Dev produced

[-] sirico@feddit.uk 15 points 4 months ago

cries in AUR

[-] Deckweiss@lemmy.world 1 points 4 months ago

You mean laughs!

[-] rcbrk@lemmy.ml 10 points 4 months ago

AUR has just as much ability to fuck you over as piping curl to sh as an installation method.

Check your PKGBUILDs every single time and make sure you (still!) trust whatever repos it's pulling the source/binaries from.

[-] Deckweiss@lemmy.world 7 points 4 months ago* (last edited 4 months ago)

I completely agree with you on the ability part. There already have been cases where there was malware in the AUR.

But the wiki specifically states to read the PKGBUILD and check the source url content before installing.

I don't think the system is at fault here. I mean, getting viruses/malware has always been mostly due to lazyness, user error and lack of knowledge.

[-] okamiueru@lemmy.world 2 points 4 months ago

If you're actually vetting PKGBUILD, I don't think there is a single one I've installed that doesn't download some blob. There is no way of knowing if it's OK, unless you also sift through that. I don't think anyone does. I certainly don't.

[-] Deckweiss@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

Most of mine download source and compile it or plain scripts like python/bash and move them some place.

If it is a -bin, I check the url and checksum to be sure that it comes from the official source and obviously I do not install software from companies that I do not trust. (and yes, every update. I have a dedicated timeslot in my calendar for that)

I don't know what type of blob you mean which would require any additional treatment like.

[-] andreas@lemmy.korfmann.xyz 4 points 4 months ago

yeah, I tend to only look at repos with decent activity. If I stumble across a project that seems a bit sparse but I still need/would like to use the code, I try to scan through it myself to spot anything fishy. So far so good, but always good to be careful and triple check

this post was submitted on 29 Feb 2024

204 points (98.1% liked)

Open Source

28973 readers

198 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 4 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml