This is why we can’t have nice things
Any intel on affected, high-profile software?
I found the original blog post more educational.
Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.
The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.
If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post
