• Goun@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    1 day ago

    Why the Documents folder tho? Who expects important stuff to be there?

    Now all my Linux ISOs are gone, smh

    • Goun@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      1 day ago

      Yes, I agree, but then, what would be an alternative?

      Store it into a file, chmod it and run it? git clone the repo and run a script from it? I don’t think any of those would be different, apart from having more steps most people won’t even check anything.

      I don’t know if we can fix this while allowing people to run stuff they don’t understand on their machines. Maybe community curated scripts or something, know the people who does the stuff and only run stuff made by people you already know.

      I think we’re running too fast, we need to chill down, idk.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        19 hours ago

        Yes, I agree, but then, what would be an alternative?

        Any package manager that allows for ways to verify the source. These shitty script|bash lines are doing all sorts of nutty shit on your system, and that’s ones that aren’t even malicious.

  • just_another_person@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    2 days ago

    This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.

    GitHub is not compromised, nor sending unintended payloads.

    • ikidd@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      2 days ago

      Many of the projects are backend dev tools, like the Atlas provider linked in the thread.

      • just_another_person@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        2 days ago

        But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.

        These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.

  • crystalwalrus@programming.dev
    link
    fedilink
    arrow-up
    4
    ·
    2 days ago

    Another reason that star count is a terrible metric for quality / authenticity. Fake stars are a huge problem that not a lot of people take seriously.

    • harsh3466@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      2 days ago

      Hahaha. Was about to comment nearly the same thing. My NFS share has a different mount. ~/Documents is an empty directory