Saturday, January 28, 2023
HomeCyber SecurityGitHub blighted by “researcher” who created hundreds of malicious initiatives – Bare...

GitHub blighted by “researcher” who created hundreds of malicious initiatives – Bare Safety

Simply over a 12 months in the past, we wrote a few “cybersecurity researcher” who posted nearly 4000 pointlessly poisoned Python packages to the favored repository PyPI.

This particular person glided by the curious nickname of Remind Provide Chain Dangers, and the packages had venture names that had been typically just like well-known initiatives, presumably within the hope that a few of them would get put in by mistake, due to customers utilizing barely incorrect search phrases or making minor typing errors when typing in PyPI URLs.

These pointless packages weren’t overtly malicious, however they did name residence to a server hosted in Japan, presumably in order that the perpetrator might gather statistics on this “experiment” and write it up whereas pretending it counted as science.

A month after that, we wrote a few PhD scholar (who ought to have recognized higher) and their supervisor (who is seemingly an Assistant Professor of Laptop Science at a US college, and really undoubtedly ought to have recognized higher) who went out of their means to introduce quite a few apparently official however not-strictly-needed patches into the Linux kernel.

They referred to as these patches hypocrite commits, and the concept was to indicate that two peculiar patches submitted at totally different occasions might, in concept, be mixed in a while to introduce a safety gap, successfully every contributing a form of “half-vulnerability” that wouldn’t be noticed as a bug by itself.

As you possibly can think about, the Linux kernel workforce didn’t take kindly to being experimented on on this means with out permission, not least as a result of they had been confronted with cleansing up the mess:

Please cease submitting known-invalid patches. Your professor is enjoying round with the assessment course of with the intention to obtain a paper in some unusual and weird means. This isn’t okay, it’s losing our time, and we must report this, AGAIN, to your college…



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments