GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks.
See full article...
See full article...
A hacker group is poisoning open source code at an unprecedented scale
- Thread starter JournalBot
- Start date
Anyone else find the geopolitical aside a bit strange? Why would a hacking collective that appears to be financially motivated target Iran with wipers?
Accuse me of tinfoiled fashion accessories if you like, but I'm willing to wager that TeamPCP is bankrolled by Mossad.
Accuse me of tinfoiled fashion accessories if you like, but I'm willing to wager that TeamPCP is bankrolled by Mossad.
Last edited:
Upvote
28
(42
/
-14)
What would that help? It's not Github getting compromised how these attackers do their supply-chain attacks, it's the developers' accounts and/or their CI/CD-pipelines. Banning Github would do jack shit about that.
Just as an example, many of these attacks have happened because some projects like to run a CI/CD-pipeline on any new pull-requests to check for compilation errors or other issues, but they've given the pipeline access to tokens they shouldn't have and/or wider permissions to the project's repos than intended, so a malicious pull-request could abuse this and cause the pipeline to write to the repos and/or leak the tokens. That's not Github's fault, that's the developers' own mistake.
Last edited:
Upvote
75
(75
/
0)
You'd have to ask them, if it actually was them. It could've been someone posing as them just as well, but...well, we don't really have any way of knowing for sure. One also has to remember that it's still a group of individuals, not a hive-mind: there could be politically motivated people there just as everywhere else and who knows? They might pull of a stunt like that without the others' permission.
Upvote
33
(35
/
-2)
It would help if they at least implemented a "cooldown", where you can set a certain amount of time that must have elapsed since the extension made a release before VSCode auto-updates the extension to that release. Alas, I cannot find any mention of any plans to implement such feature, at least not yet.
EDIT: There is an open feature request for this at https://github.com/microsoft/vscode/issues/317830 if anyone's feeling like upvoting the request. I did.
Last edited:
Upvote
45
(45
/
0)
An excellent idea! I especially like that they request it can be managed in the enterprise. Thank you for the heads up! I’ll be upvoting as well.
Upvote
19
(19
/
0)
This is the one which has the most traction:
https://github.com/microsoft/vscode/issues/316867
It’s a successor to a couple of older issues which were closed as “not planned” but seems to be getting more traction. There were like a dozen of us on the older one but this is already over a hundred votes.
Upvote
22
(22
/
0)
Literally EVERYTHING that was promising about the Internet Information Superhighway is being compromised or destroyed. It lasted a good 25 years, but now we're entering the true end stage.
Upvote
26
(31
/
-5)
MilanKraft
Ars Tribunus Angusticlavius
It's starting to feel like: if you have a machine that's been stable and nothing on it updated for a while, do NOT accept or download any new apps or updates, other than vetted OS security updates. At least until this gets sorted somehow. And maybe Firefox updates, since they seem to be keyed in on fixing security holes at the moment and presumably would vet their own Fox food before sending it out into the world.
Maybe dev shops should now explicitly state on every product page, "only download direct from our site or the app's direct update mechanism (which goes to our site), as only those can be verified as having been scanned and vetted before release." Or something. I'm not coder kind so am unsure if there's any sort of "best practice protocol" that could be public facing to reassure people it's OK to continue updating their favorite apps and extensions.
Upvote
4
(8
/
-4)
None of these hackers ever do anything amusing. If they really wanted to panic a company, they’d start poisoning their AI. Oh wait, that might make it useful so it stops hallucinating.
Never mind.
Never mind.
Upvote
-14
(2
/
-16)
That's why code signing exists and is integrated into modern OS
Upvote
22
(22
/
0)
Good thing all the major OSes are based in a country whose government obeys the rule of law...
Upvote
6
(9
/
-3)
I can't wait for you to explain how, exactly, that would help with any of this.
Upvote
26
(27
/
-1)
Tempting and appealing on a certain level, but no. Capitol punishment doesn’t work because those doing this sort of thing are arrogant enough to believe they won’t ever be caught, and most aren’t.
Upvote
14
(15
/
-1)
Github is such a dumpster fire these days I'm not even surprised they're letting untrusted 3rd party extension developers push random code to their internal network.
Upvote
-13
(1
/
-14)
Albino_Boo
Ars Tribunus Angusticlavius
You do understand that Microsoft has contracts with the Israeli government.
Upvote
-7
(2
/
-9)
RickRoyLeonPrisZhoraRacha
Ars Scholae Palatinae
Who remembers when a developer had updates and you sent in for them on floppies via snailmail?
No hacker trying to intercept your postal mail to infect that floppy... when RAM was in K and Megabytes not Gigs...
No hacker trying to intercept your postal mail to infect that floppy... when RAM was in K and Megabytes not Gigs...
Upvote
9
(10
/
-1)
Why would the Russian government outlaw one of their most important sources of revenue?
Upvote
11
(11
/
0)
A bit before my time, but I miss the era of hitting up niche forums and blogs for third party software. Felt like the wild west, compared to today, but I trusted those forums more than I did limewire.
Upvote
4
(4
/
0)
Speed and convenience over security.
But to be fair, even security-minded companies can get compromised. In fact really good security ASSUMES that you will be compromised at some point. That's the only way you can contain attacks. It's hard and expensive.
Upvote
4
(4
/
0)
PCP did so because an Iranian in a specific Telegram chat was posting annoying content, and this was simply to get a lol and assert his hacking skills for accolades in the group chat.
Upvote
3
(3
/
0)
If I'm a home vibe coding user what's the best way to protect myself from these sorts of things?
Upvote
1
(1
/
0)
The headquarters of Canonical (the company behind Ubuntu) are in London, England.
Upvote
0
(0
/
0)
I must be far too old school: was amazed to realize that people just blindly auto update their dependencies.
Upvote
3
(3
/
0)
Don't vibe code - it's a bloody stupid idea anyway. Understand what you're writing, understand what your LLM is writing!
Upvote
2
(2
/
0)
Upvote
0
(0
/
0)
Yeah, this. As an old-school C hacker, I still shake my head that web-based stuff always pulls the latest version off the web, including things like "left-pad" or whatever. You grab a recent stable version of a library, vet it carefully, then compile/link and ship that version until you need to upgrade..
Upvote
2
(2
/
0)
Vibe code! Have fun. Let the AI do the boring thing you are not interested in. We all know its limitations by now.
Had chatgpt build a gui for some code I wrote. It is far from perfect, but works ok. Took me 30 minutes. I vaguely understand the code. I found a few bugs. Left them in to punish the user for not following the instructions. Of course this is hobby work.
Need a perfect GUI? Thoughtfully written? Pay me.
Upvote
-1
(0
/
-1)