Good news for winboys!

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment _id=5006595#gistcomment-5006595

How about Microsoft just bans this filth and send the cops his way?

Github is absolutely stupid for doing this. This makes it harder for me to respond as an OS vendor to the problem. I want to audit this code. Yes, I can look at the alternate site but tracking this rogue user's activity is helpful. The person also had commits against libarchive.

For folks that don't know, lzma compression is used for a lot of things with various OS projects. The MidnightBSD package manager uses it. It's not always called directly as some thing. With bsdtar/libarchive, it's linked against liblzma directly. The mport package manager uses libarchive with liblzma to actually compress data. Now the actual malware uses glibc hooks, so the BSDs are safe from this particular problem. However, the malicious actor could have done other commits that are a problem both to this project and others.

Instead, github should have put a warning up and blocked downloads of the affected two versions known about instead. (the full tarball)

As far as info about the issues: https://boehs.org/node/everything-i-...he-xz-backdoor

The idea that only FOSS can be validated and analyzed is bizarre. Don't people often complain that systemd or xorg or whatever is huge and bloated and therefore impossible to audit?

Conversely, with the right tools one can analyze the behavior and properties of closed source/binary only software. I've done so in the past for personal (boredom, etc) reasons.

This isn't an attack on open source or a defense of closed source, but it's much more nuanced than "open source is immune to issues."

...because it pulled in libarchive (known FOSS project)? Not defending windows here but if anything does this not weaken the whole "FOSS has thousands of eyes on it" further?

Where, to Chinese "CIA" equivalent agency, Russian (contributions of "Jia Tan" started incidentally the same month Russia invaded Ukraine..) or where?
Jia Tan is just avatar with some email.
You don't know what it is, where and how many people are involved.

Github were genius for doing this, its basically brought all the malware cockroaches into the light so we can all see their bad practices clear as day.

this nation state backed APT group is probably the group​ "Magnet Goblin" and i reported this group for attacking members of the open-source community many months ago and they did also attack phoronix.com forum members here in the forum.



they are even active in this forum and place links here in the forum to lure forum members into traps to attack zero days in web browsers.

my advice is do not click on links here in the forum from this forum member: sophisticles

or else you maybe get some "logofail" virus

what do you think is "Magnet Goblin" ???

i can tell you it is a nation state backed Advanced Persistent Threat actor​ group

one think is for sure these people: "NSA/CIA/FBI" will never help the open source community they themself spend billions of dollars to spy on members of the opensource community.

This is significantly more complex than that.
Last I saw its a well hidden RCE that can only be exploited by the authors (the hook into RSA_Decypt is to decypt the payload using a fixed public key, so only the attacker could encypt the payload).



That's a long way from script kiddying a day-1 exploit