this post was submitted on 05 May 2025
185 points (98.4% liked)

Linux

53933 readers
843 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
185
Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack (thehackernews.com)
submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]
23 comments fedilink hide all child comments
 

Packages:

  • github.com/truthfulpharm/prototransform
  • github.com/blankloggia/go-mcp
  • github.com/steelpoor/tlsproxy
top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 3 hours ago

Taking garbage collection to a whole new level !

[–] [email protected] 64 points 21 hours ago (1 children)

Aaah finally, malware for Linux, truly the year of the Linux Desktop!

[–] [email protected] 24 points 20 hours ago

We made it! I never thought I'd live to see this day!

[–] [email protected] 60 points 1 day ago (2 children)

The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

This is absolutely not just specific to Go.

[–] [email protected] 33 points 23 hours ago (1 children)
  • PyPi
  • npm
  • Maven Central
  • Docker Hub
  • Artifact Hub
  • PPA
  • AUR

The problem isn't specific to anything. It's also not specific to malware. Vulnerabilities are just as dangerous, if not more so.

[–] [email protected] 5 points 3 hours ago

Cargo also has a --git option but I suppose it's not default behavior

[–] [email protected] 1 points 22 hours ago* (last edited 22 hours ago) (1 children)

That's a pretty unique feature to Go I think. Maybe clang has something similar I guess?

Not that an attack like this is unique or anything.

[–] [email protected] 3 points 20 hours ago

CMake, which is kind of the universal standard build system for C++ now, has "fetch content" since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you'd like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you'd like. I don't think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.

[–] [email protected] 22 points 22 hours ago (2 children)

The one, fool-proof solution to supply chain attacks? Write all your own dependencies. meow-coffee

[–] [email protected] 25 points 22 hours ago (1 children)

I'm already writing my own dependency to check if a number is even:

if (number == 0) return true
if (number == 1) return false
if (number == 2) return true
if (number == 3) return false

I'm almost there!

[–] [email protected] 18 points 21 hours ago (2 children)

You've probably covered 90% of use cases there so you're doing well!

I'm trying to port your code to Rust but the compiler keeps giving me an error about non-exhaustive match arms sadness

[–] [email protected] 9 points 20 hours ago

It's quite cruel of that compiler not being happy until you're exhausted.

[–] [email protected] 7 points 21 hours ago (1 children)

this is so sad, I'm gonna pray for you in rust

[–] [email protected] 7 points 19 hours ago

Assuming you're monotheistic, I believe you can use an mpsc channel to send those asynchronously.

[–] [email protected] 3 points 20 hours ago (1 children)

That seems to be the Go way. Why put it in a library when everyone can just re-implement it themselves (and test and document it too, right? Right?).

E.g. There isn't even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map. And then people try to paint this as a virtue of the language.

[–] [email protected] 6 points 19 hours ago (1 children)

E.g. There isn't even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map.

Goooood fucking gravy.

I hate to be such an opinionated programmer, but everything I've read about Go only reinforces my negative opinion, especially since I read this now-famous article.

[–] [email protected] 2 points 17 hours ago (1 children)

I have decades as a SWE, including deep (but now out-of-date) C++ experience, a lot more recently in serious Python systems, and a fair amount of web UI dev on the side.

Now I have 1 year with Go. I came to it with an open mind having heard people sing its praises I thought it would be broadening to spend some time with a language new to me.

My advice now is do anything you can to avoid working in golang. Almost daily, I seriously contemplate whether it'd be worth quitting and being unemployed, even in this economy (US). It is a better C, but that's a low, low bar at least for the project domains I ever work in. Where it's an even plausible answer, Rust is probably a better one (I think? - haven't used Rust for anything real).

[–] [email protected] 1 points 17 hours ago

Oooof, good to know. I have a bit more of a low level C brain at root so I see the appeal of Go, but never had enough of a reason to get into C++. I've only really used C# and JS/JS frameworks professionally.

Rust is an absolute joy to work with. The strong typing, the hands-on memory management, the functional elements, the build system, the helpful compiler errors and warnings, the magical feeling that comes when your first successful compile since refactoring just works, the queer-friendly community... just the perfect language for the way my brain operates.

I'm lucky to be unemployed at the moment and have time to make my own projects with tools of my choosing. There are definitely some barriers to using it in most workplaces, but most of those come down to adoption inertia and the fact that the language is still "new" - new in the sense that it's not mature enough to have a mature enough frontend framework that has a mature enough third party component library for easy plug and play. Filling out all the corners that older languages have is gonna take a while.

[–] [email protected] 30 points 1 day ago

This is why we can't have nice things

[–] [email protected] 14 points 1 day ago (1 children)

Any intel on affected, high-profile software?

[–] [email protected] 14 points 21 hours ago (1 children)

I found the original blog post more educational.

Looks like these may be typosquats, or at least "namespace obfuscation", imitating more popular packages. So hopefully not too widespread. I think it's easy to just search for a package name and copy/paste the first .git files, but it's important to look at forks/stars/issue numbers too. Maybe I'm just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can't say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.

[–] [email protected] 8 points 20 hours ago

The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.

[–] [email protected] 1 points 22 hours ago

Halloween documents pt 2