To clarify, when does this run? Like you download malware A, run malware A and this function definition changes sudo for it, or sudo for other cases?

This could for instance be injected into your .bashrc when you do an "npm install" of a package that has a deeply nested supply chain attack.

Then the next time you run sudo, phase2 triggers installing a rootkit, etc.

That is one of many reasons to keep your dotfiles under version control.

	▲	lpribis 13 minutes ago \| parent [-]
		How would that help? Unless you happen to check the dotfiles git diff before running _anything_. I guess this could be put in prompt or some cron job to detect diffs but I bet absolutely nobody does this.

Or you could also hijack it using $PATH search order with your wrapper to get existing terminal sessions too, there's a lot of ways to skin that cat.

	▲	lrvick 30 minutes ago \| parent [-]
		Endless ways, which is why I do not understand why sudo is ever used anymore, especially in production. You do not need root to do anything in Linux these days anyway between Namespaces and Capabilities so there is really no reason for root to be accessible at all or have any processes running as root post boot.