• HelloRoot@lemy.lol
    link
    fedilink
    English
    arrow-up
    82
    arrow-down
    3
    ·
    6 months ago

    Aaah finally, malware for Linux, truly the year of the Linux Desktop!

  • vegetvs@kbin.earth
    link
    fedilink
    arrow-up
    67
    arrow-down
    3
    ·
    6 months ago

    The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

    This is absolutely not just specific to Go.

    • MoonMelon@lemmy.ml
      link
      fedilink
      English
      arrow-up
      16
      ·
      6 months ago

      I found the original blog post more educational.

      Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        ·
        6 months ago

        The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.

  • tomatoely@sh.itjust.works
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    6 months ago

    If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post