• Thurstylark@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    Me: fixes exposure to vuln

    Also me: grabs popcorn

    This is going to be an interesting story once this all quiets down…

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      7 months ago

      Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

      And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

      • SuperIce@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

      • Brunacho@scribe.disroot.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

        gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

      • Thurstylark@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        Running Arch, so not really exposed, but still had a compromised version installed.

  • wolf@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    7 months ago

    Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

    It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

    • RedNight@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience