Close Menu
    A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale
    Technology

    A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale

    Share.
    View 28 Comments

    28 Comments

    1. debugger_life on

      First NPM was attacked.
      Then again Npm was attacked 2nd time.

      And now Github attack.

      What we should expect next?

    3. johnjohn4011 on

      Is there a GoFundMe to help support this form of self-defense?

      Surely it falls well within the purview of the second amendment…..

    4. DetectiveOwn6606 on

      Good . lets crash whole internet as nevertheless it is filled with ai slop

    8. qodeninja on

      yeah this is def an attack on the notion of open source at all — I BET — by people who are wanting ID verification — the natural consequence of this is pushing communities to demand proving who you are and proving youre not a bot or a bad actor — making everyone pay the cost — while the bad actors continue to use other means.

      So surface read says sure you can hack peoples coins and credentials — but thats superficial — dig deeper to 3-4 degrees of why and the story becomes much more nefarious.

      Probably false flag to provoke community reaction towards ID and AGE verify all the things. I would caution dont fall for this. There are other solutions that dont require ID verification or closed book clubs and walled gardens.

      We have to be mindful and not fall prey to the surface level read, the truth is always layers below. Proving who you are at all times is not the solution for security.

      “Zero trust/Zero Knowledge” as its called, is one known approach, (services like Signal and CloudFlare I believe use this pattern to a degree); regardless, you shouldnt have to tell everyone and everything who you are in order to exist or to do anything or use anything; ALSO the system should have natural checks and balances like I dunno maybe a fundamental Right to Data Privacy, then this kind of all goes away.

      Treat your privacy rights as inalienable (non-negotiable) except in the proper arenas like banking and DMV.

      —-
      Edit:

      If you can hold business accountable to what they do with your data and how they steward it, then the whole who has my information issue kind of turns into are they going to sue me for millions? which would turn this boat in the right direction IMHO.

      US needs GDRP++ style protections, we are the only country in the world I know of where every citizen’s information can be looked up by any other person in the world without care or thought.

      Identity, data custody and data provenance at the user level is backwards. Platforms have a responsibility to be good stewards of personal data instead of trying to make everyone flash an ID card — which can be faked anyway

      My take: Do not fall for the “just show your ID bro!” trap that’s been popping up in comments, do not fall for these pearl clutching scary events as reason to throw privacy out of the window. These companies can decide to use better security practices, but theyd rather you show your ID instead just so that they can pretend it all magically stopped once everyone complied… “see! — all fixed. Anyone who didnt show their ID = bad.”

      Thought exercise: What does anyone have to gain from attacking software communities? Why would they do that? What do they want? At the end of the day it smells like influence/control. Why do they want control?

      {/endrant}

      In any case, always resist this however it shows up like a nasty hydra. Id argue younger people are more susceptible to this because their entire life history has a longer thread to map out and track.

    9. Submissive-whims on

      The tools they’re targeting are apparently extensions for visual studio. Corrupt the extension and you get access to the authentication tokens that visual studio can access to handle version control. The question becomes how can you protect your authentication tokens? They exist to make it more convenient to verify your identity and they are safe as long as no one can get your machine to send them out of your machine. It seems like they’ve become a point of failure. I suspect we’re going to have to encrypt them and use a password to decrypt them each time we want to verify our identity.

    10. The__Toast on

      I’m a big believer in open source, but I’ve been a long critic of how nonchalant many, many, many companies are about downloading and executing random code from the internet. And it’s not just VSCode and NPM, every language has people downloading packages and libraries with basically no verification or validation. Many of us in the security world have been warning for years that this is a powder keg ready for a spark. The fact that a company as large as Github is allowing developers to download and install unknown VSCode extensions from the public repositories on machines with production access, is crazy.

      And there’s no great answer, we can sandbox apps and code and validate, but things like data exfiltration can be very subtle, and difficult to detect. And doing this for every version that comes down and maintaining your own internal repos is crazy time consuming.

      Part of this can be solved with isolation. But NPM, pip, and all of these other package repos are going to need to implement some kind of real certification mechanisms.

    12. User_Many_Errors on

      Something I just learned is that open source code is used by big Corps like google and ai companies to use for themselves and their projects to sell back to us, making open source have the opposite effects of what it’s meant for. This could be one reason for the attacks

    14. Aranthos-Faroth on

      The fact this is happening isn’t surprising, it’s that it hasn’t been a major major problem till now.

      Open source code is admirable – but it takes just one bad actor to poison the well for the whole village to die.

    15. zer04ll on

      Been saying it for a long time, open source in and of itself is a security risk. We relied on the fact that a human isn’t actually going to go through the code with a fine tooth comb but AI will and it’s only going to keep getting worse.

    17. santz007 on

      When billionaire corps own the govt…. It works for billionaires to make them more profitable

    19. online-reputation on

      A main problem of LLMs is bad actors negatively influencing and manipulating results

    21. josh-ig on

      These days I’ve been either pulling out individual functions into my own library or cloning as a sub repo and having Claude/gpt scan any diffs on an update pull and any dependencies that have changed. Its annoying.

      It’s the random dependency of a dependency of a dependency where some of this stuff is hiding. I also use bun’s package manager so it doesn’t auto run post installs – even on node runtime. In the Rust and Go world I thankfully don’t use a ton of deps and Go has a big stdlib. Ones I do use are huge at least.

    22. oyvaugh on

      Well here’s my 2 cents: If I was the owner of a huge tech company and I saw open source code getting better than what I could produce even after investing millions, I would hire as many hackers as I coukd to discredit open source code.

    24. Mr_Epitome on

      Yep! The data poisoning movement is very strong at the moment. I honestly don’t think it will stop when accessible through the open web.

    25. BetterNowThks on

      The same government that are going to survey you and have access to your bank accounts

    27. DeadStepp on

      CanisterWorms, code poisoning, and supply chain targeting. Quite the skill set for such a juvenile group. There’s someone powerful backing them, whether that’s a government or an organization, someone is footing the security and manpower for this.