Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[1] https://old.reddit.com/r/netsec/comments/1izryuk/github_scam...
[2] https://timsh.org/github-scam-investigation-thousands-of-mod...
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
E.g. we also have https://news.ycombinator.com/item?id=43203158 from 3 days ago, which seems to be a different thing at first glance.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
[1] https://securelist.com/gitvenom-campaign/115694/
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
Only the malicious repositories (second sheet):
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
Edit: Example https://github.com/microsoft/winget-pkgs/blob/master/manifes...
You don't have to assume that the code is community-vetted. If a repository has at least a couple hundred stars, lots of forks, and an active pull request cadence, then you know that at least some people have gone digging through it.
If not, then that's when you should break out the sandboxing tools and prepare to check the code yourself. At least it should be easy-ish to automatically check/block everything that has the potential to open a network connection, which defeats most profitable malware models.
Let's use GitHub as an example. We have forks, and stars. Maybe we could also have some kind of build endorsement?
How one would verify that the endorser is worth your trust, I am not entirely sure.
Maybe endorsers could eventually be rated by CVEs found in their endorsements, and that would build trust?
On top of that it could have forced release binary scanning via VirusTotal/insert-malware-scanning-vendor-here.
Pay researchers to analyse repos without any. Post results. Link to the repo with mitigation PRs.
It’s insane this isn’t the standard already
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
This would actually be an excellent LLM coding benchmark,[0] in addition to a human endorser benchmark.
[0] If nobody is already doing this, especially retrospectively, and you do, then please at least give me a shout out. :)
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
It's really absurd how many of these are out there in the wild. Scary really.
All it says is that the projects were written in different common languages...
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
To really get around the culture problem you would need an OS that lacks the concept of undeclared data sharing between different packages.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
https://www.aclu.org/news/national-security/secret-court-opi...
Do you know of other examples?
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
[1] https://www.abc.net.au/news/2019-07-15/abc-raids-australian-...
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
Russia and China, have.
The threat scale here, is not an even playing field.
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
Russia and China have a long way to go to catch up.
Fundamentalist-authoritarian chauvinism for your own state is no justification for these human rights violations - assuming of course you are a citizen subject of the criminal 5-eyes alliance ... If you cannot imagine it being okay for other states to harvest your data, you should not be okay with your state doing it, either.
You know why? Because violating your privacy without recourse is how states ramp up to commit genocide and other atrocious crimes against human beings, whether their citizens or otherwise, by a process through which the states ruling classes deem their victims inferior and thus subject to attention by further repressive state apparatus.
Mass harvesting billions of human beings data every single second of the day, without their permission, is therefore a heinous crime against humanity and a massive violation of human rights at scale - especially when its being done by a violent, belligerent state with the blood of literally millions of human beings lives on its hands. Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
With the Pine Gap apparatus, the USA is primed with information about who to target in its victim states. It is a key method by which effective mass murder can be manifested in illegal wars - of which, the USA is the undisputed leader, this century.
Just by way of a single example - the Holocaust was made feasible by the mass harvesting of private citizens' data by IBM. Is this not well understood, today?
Would you be 'okay' with Russia and China operating their own Pine Gap, since "its no big deal to 'just be snooping a little (a lot of) data'"? Would you be 'okay' with your own state knowing absolutely everything about you without your knowledge or control, now .. or in the future, when perhaps your political attitude changes as you grow older?
You most likely wouldn't be happy with China and Russia doing this, even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
Nonsense. The state definitely has the right to seek out criminal and undermining elements. Better, a democratic state has the obligation to do so.
> Would you be 'okay' with Russia and China operating their own Pine Gap
They do. And there's nothing I can do against it.
> even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
Oh dear, aren't we rabidly anti-West today? I wonder how you square that with your "Privacy is a key human right that should not be abrogated by the state, ever." stance.
> Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
Why the sudden switch to "this century"? Your argumentation is switch-and-bait throughout. But China probably has perhaps already murdered more Uygurs, and if we add its "minion" Myanmar, they'll top it.
It has the responsibility to do so without violating its citizens human rights.
What you are describing is fascism - the totalitarian-authoritarian elevation of the state over the individual.
>I wonder how you square that with your "Privacy is a key human right that should not be abrogated by the state, ever." stance.
What needs to be squared? This is non-sequitur.
>Why the sudden switch to "this century"?
There was no 'sudden switch' - its a fact that in the past 25 years, Western forces have murdered at massive scales more innocent human beings than any other state or entity.
Why do you defend criminal acts (violating human rights) and minimize mass murder? Are you in the 'might makes right' misanthrope camp?
"Chinese hackers are deep inside America’s telecoms networks" - https://www.economist.com/china/2024/12/12/chinese-hackers-a...
https://www.nytimes.com/2025/03/02/us/politics/hegseth-cyber...
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
If you're not holding your own government to the standards you apply to other states, you're putting yourself in danger.
Especially given the fact that the USA and its partners operates the largest, by far, information gathering/human rights abusing apparatus with well-known subversive purposes, by a long margin..
Although it has to be stated, I don't think Elon has been calling for the bombing of innocent human beings at the same rate as his predecessors.
I don't think every Russian company is conspiring against the US anymore than I think every US company is conspiring against Russia. In this case there's a clear and malicious motive for the US to want to block them that has nothing to do with threats, and they've gone way beyond any sort of reasonable standard to make it clear they have no ill intentions whatsoever.
Of course the problem is that proving you're not a witch is basically impossible, which is why innocent until proven guilty is a standard across the world, except when it comes into geopolitics when allegations are proof, leaving the accused parties to prove a negative.
It should go even further e.g. you don’t want ARM installing backdoors on their chips and giving hostile foreign organizations like the MI6 access to vital American infrastructure, intelligence data etc. do you?
It might be the time to consider switching to Elbrus or at least mandating that all devices used by US government agencies have to use Intel’s chips.
Overtly adversarial relationships trend towards violence, sooner or later, and that's not a path we ever want to go down.
If the US and Russia were on good relations none of this would have happened, Germany's economy would still be booming, and just about everybody would be so much better off today. And no, the article does not say the Pentagon will "unilaterally disarm." It ordered a halt to offensive operations against Russia - e.g. the Russian government which is certainly going to be reciprocated. Criminal elements are a different topic, but I do expect as relations between US and Russia warm, they will no longer be looking the other way when these groups target the West.
The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
Naturally, Ukrainians responded with massive protests, to which Yanukovych replied with increasing violence, culminating in 100 protesters being killed by police snipers. At that moment, Yanukovych lost the support of even his own party, fled to Russia out of fear of imminent imprisonment, and the Ukrainian parliament announced snap elections to replace him. The elections were held a few months later. Not many people would call general elections a "CIA coup".
NATO has nothing to do with it either, that's pure gaslighting. In the first few years after the initial invasion in 2014, Russia denied having any troops in Ukraine. According to Russia, the thousands of people equipped with Russian tanks, artillery, and air defense systems were merely local self-defense forces who had bought their equipment from military surplus stores. Russia claimed that Ukraine was in a civil war.
The narrative started shifting to blaming NATO only in the run-up to the full-scale invasion in 2022, when Russia abandoned the story that Ukrainians were fighting each other and needed a new justification for its massive surprise attack on all of Ukraine.
Typical Zed propaganda where Eastern Europeans are all brainwashed to hate the good, kind Ruzzian empire. if you are USaians then go and fix your history and stop consuming MAGA and Zed propaganda.
The US wasn't just doings things behind the scenes. This [1] is John McCain at a rally in Kyiv. Imagine if during the BLM (or January 6th or whatever) protests/riots if China/Russia/etc had sent high level officials to overtly rally people to try to overthrow the government. It's a completely surreal sight if you really think about what you're seeing. The US is right there saying 'Yeah, we're gonna overthrow you in plain sight - try to do anything about it and you'll be wishing that's all that happened.' And if you think there was nothing going on behind the scenes on top of that stuff that overt in front of the cameras, then I'd say you're not arguing in good faith!
In any case, none of this happens with good relations. A simple agreement to economically save Ukraine shouldn't have been an adversarial East vs West thing, but just another agreement to the benefit of Ukrainians. But that poor country's strategic positioning, and easily exploitable nationalist minority, means it was doomed to inevitably just end up as little more than a rope being tugged on by two giants. The giants will be fine regardless of what happens - it's just the rope that ends up in tatters.
I don't give a shit what USA idiots said, if the people of Ukraine want in EU and NATO like their neighbors Poland, Romania, Hungary then why should a failed empire object.
You imply that USA brainwashed the Ukrainians, they instigated this.
Can't you use your brains? Can you see Ruzzians killing, raping, torturing their "brothers" ? It is obvious that for an ethnic Ruzzian genociding Polish, Romanians or Ukrainians is the same , they have no value for what we actually want.
We all want EU and NATO to be free of USSR/Ruzzian empire the Ruzzians want their empire back,
Ruzzia has nukes so the bullshit that NATO extens because they want to invade Ruzzia and steal their shit is stupid , use your brain
EU bought shit from Ruzzia, EU tried to get peace with the empire by making bussiness relations, EU had not plants to invade and steal Ruzzian lands .
There was ZERO risk for Ruzzia to get invaded, it is the same with the other wars Putin started, it is all geopolitics and many Zeds agree with it and make fun of us smaller country by claiming that this is how the world works, big empires screw the small countries.
There is a lot to criticize the US for, but it is nowhere close to being a failed empire yet.
At least we can agree Ruzzia is failed empire, no words on that part from KGB I am happy I found an agent that is not flagging or reporting me then goes to tell his mom how big of a hero he is.
The reasons countries don't want geopolitical adversaries on their doorstep is because superpowers have an unspoken (well.. sometimes spoken [1]) 'sphere of influence' that is not to be touched. If Mexico signed a military agreement with Russia that involved them establishing forces there - we would be invading imminently. In fact this is exactly what the Cuban Missile Crisis [2] was about. Ukraine (and Taiwan) are not even just proxy wars between the US and Russia/China, but rather they're a proxy war against hegemony. Does the US have the right to setup right on Russia's front door? How about China's?
So the one thing I would agree with you is that indeed - the world remains one of the strong picking on the weak. And the last place you ever want to be is caught in the middle of a turf war between two giants. The world would be vastly better for everybody if those giants instead existed in collaboration, or at least healthy competition. One trying to dominate the other is only likely to hurt those caught in the middle. Because if the two giants ever came to unrestrained blows, the entire world would burn.
You guys need to accept the real reality, none of Ruzzian neighbors want to be part of Ruzzia, NONE . Everyone inteligent person is leaving Ruzzia, people in neighboring countries go in EU or West and not Ruzzia.
We know better what Ruzzians are capable of, and we know better what we want, no visit from an USaian or Soros can overnight change our minds.
I see this with Ruzzians that are USSR nostalgic, they actually think that Moscowites sacrificed their wealth to help everyone else and we just got brainwashed to hate them, the genocides did not happened anfd if they would have happened the victims deserved it.
True, they cease being “meaningful” the moment you surrender and stop viewing them as threats.
OFC it’s all relative, Russia and similar actors having more political/economic influence in the US (and by extension globally) might not be viewed as a negative by some people.
TIL: I had no idea China had already launched their own space station: https://en.wikipedia.org/wiki/Tiangong_space_station
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
Starlink and Tesla are security concerns.
The US' current attitudes suggest that they would very much like to see world war three. And would like to ally with Russia to make it happen.
Recklessly endangering international agreements will not be without consequences.
If there is source with evidence of that warfare, that can change my mind
However, it is likely that I would do so if they show themselves to be an enemy of my nation. If you've found Google attacking a government, I'm sure plenty of people would love to see the evidence.
[0] https://securityaffairs.com/174586/intelligence/australia-ba...
[1] https://www.nytimes.com/2022/12/22/technology/byte-dance-tik...
[2] https://storage.googleapis.com/gweb-uniblog-publish-prod/doc...
It shows only that the Australian government expresses concern over the capability, which doesn't seem entirely unreasonable and also politically motivated.
Oceania has always been at war Eastasia, and all that.
That's not concern of possibility. That's acknowledgement of exfiltration of data, back to Russia. Past tense.
This is political, yes. But only insofar as all actions of one nation against another is political. Australia go to some lengths not to piss Russia off. If things were not so political, then the response would likely be much greater, not less.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
Until Trump, the USA was not a direct threat to the nation I now live in. However, nuance is lacking in your response.
You cannot divorce a company serving its government, from the politics it lives in. There's little evidence of Y-Combinator, for example, of endeavouring to upend their entire business to serve as spies for the USA. If Kaspersky was divorced from the KGB, politics would not be as considerable a context for understanding their actions.
I would extend that to "a company bound by law", since governments can change. [0]
Most people here argue that google, etc. have not been caught stealing/leaking data yet, as if Snowden didnt happen. And as if any foreign citizen data isnt fair game to US juristiction. [1]
0: https://en.m.wikipedia.org/wiki/Protect_America_Act_of_2007
1: https://www.dni.gov/files/icotr/ACLU%2016-CV-8936%20(RMB)%20...
Thankyou for clarifying that you're not interested in conversation, only antagonism.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
We can't trust Kaspersky. They're compromised by a government that's known to lie and manipulate. Again, they may be telling the truth here (certainly doesn't seem controversial), but I'm going to wait for someone I trust to tell me that.
I also get nitpickity about it.
Not because some organization or some person is Russian, then it must be under the control of Putin.
Pavel Durov is Russian, and I don't have reasons to believe he syphons my data to the Kremlin (other than getting randomly detained in France).
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.