- Aaah finally, malware for Linux, truly the year of the Linux Desktop! - We made it! I never thought I’d live to see this day! 
- Notice me Hacker Senpai! 
 
- The Go programming language allows developers to fetch modules directly from version control platforms like GitHub. - This is absolutely not just specific to Go. - PyPi
- npm
- Maven Central
- Docker Hub
- Artifact Hub
- PPA
- AUR
 - The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so. - Cargo also has a - --gitoption but I suppose it’s not default behavior- Sure! My point is that hosting doesn’t really matter, though. Malware and vulnerabilities are introduced at all points of supply chains. - I agree, I was just giving another example to raise awareness about that feature of rust. 
 
 
 
 
- This is why we can’t have nice things 
- Any intel on affected, high-profile software? - I found the original blog post more educational. - Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked. - The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware. 
 
 
- deleted by creator 
- If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post 
- Halloween documents pt 2 








