Adding an obvious eval of obfuscated code as the only code change in a PR claiming to be a documentation update kind of feels genuinely _less stealthy_ than just adding the malicious code unobfuscated, lying about what it does, and hoping no one reads it though
@@deltamico It tries to exploit human error, that you wont notice. Yeah, sure its hard to miss but shit happens. Obviously it wont pass any human that notices it and has 2 brain cells working to check wtf is this even doing.
@@undefinedchannel9916 I'm not quite sure what you're trying to say. There should be a difference between a black hat hacker and someone who does research.
1990's virus: hello 2024's virus: i am gonna hide in your files, decode myself, download another one, decode that one too and then DOWNLOAD another one.
@@Sypaka That sort of thing, plus self-modifying code, ploymorphic encryption, remaining resident in atypical locations like video memory. They had to spread using a few bytes and no Internet access.
Why do people try this method anyway? Obfuscated code is the biggest red flag of all. It would be detected immediately. Especially in large/popular repos where maintainers check commits for malicious code before accepting.
Reminder that the XZ backdoor was only caught because some dude noticed SSH takes 0.5 seconds longer than it used to, not because it was caught in code review
@@lolwutizit reminder that Jia Tan wasn't as stupid as the people trying to insert these. he didn't just put execute an obfuscated string made in a for loop from a character array it was a combination of binary test files (which is fine and expected for a compression utility, but the ones Jia Tan added were never used in any actual tests, see cf44e4b in the xz repo) and a configuration script to insert the backdoor into distributed tarballs that isn't to say that the code is safe just based on how safe the diff looks; it's just that the people doing these python backdoors are idiots targeting idiots. unless the maintainer suffers a stroke in the middle of code review, this would never pass
"until automated scanning gets better", this is a worse issue, when people start trusting automated scanning. attackers just need to bypass that, as people will be less likely to review code and automated scanning won't be able to catch "new" attacks, there MUST be HUMANS reviewing code.
@@0LoneTech but then it'd be a centralized battle between those writing the code for the automated search and those writing the malicious code themselves, as opposed to right now where those writing the malicious code are effectively automated and centralized currently already, attacking tons of people who may not know they are being attacked and have to manually review if they are being attacked
also: it's another hoop they do have to jump through to do their malicious activities, which would probably help get rid of a good chunk of these extremely simple and obvious attacks because it'd be too much effort for them (idk if you couldnt already tell, but they are extremely lazy lol)
Yes if people get lazy and start relying on automation then open source loses the main thing it has going for it security wise over proprietary. They can be a component but they shouldn't be the only thing we do.
"might have slipped through"? I really do hope that you are kidding. What are the static code analyzers made for, if not to filter the problematic parts like these _before_ compilation / transpilation? Devs are fckn lazy these day.
@@temp50 I'm really not kidding. Most small projects don't use code analyzers. Some projects might take security more serious than others but I don't believe that slipping in a payload would be particularly difficult in smaller projects. "Devs are fckn lazy these day." is also an insane take.
5:07 i saw the command "termux-setup-storage" which only exists in android terminal emulator named termux and grants the storage permission so the payload asks for storage permission, then proceeds to just wipe half the phone cool!
that command is used to give Termux access to storage. Running this command for no reason will NOT wipe your phone. It will wipe ONLY whats set as your ~/storage. If you are dumb enough to set your root (/sdcard or /storage/emulated/0) as storage in Termux, it COULD wipe your stuff, except it wouldnt due to missing privileges.
I'd expect better of even script kiddies tbh... This one is hilariously obvious. There's only two lines added too, so it's not like it's even able to be missed on review. Using exec in python is also basically a no-no to begin with, even for non-malicious code. I'd bet your run-of-the-mill linter would catch it for that reason alone.
@@bountyjedi"I'd expect better of even script kiddies" You shouldn't. Commonly they're literal children (like middle school age) whose training consists of nothing but a couple TH-cam videos like "HOW TO HACK WITH KALI LINUX -- REAL TUTORIAL"
How it actually happens is that the package maintainer is threatened in real life and forced to merge something. That's it. No normal people would merge this crap
@@Pepo..Hehe, interesting timing. But this is an old problem. Our civilization long ago passed the point any single person could vet our tech/knowledge. Like it or not, we rely on overlapping networks of trust.
Tell that to Pinokio Ai launcher which was very problematic to run in Windows because it always triggers safeguards, until current version. That thing automatically installs github projects by script at fast speed. It delivers the promises but i would recommend to turn off PC physically from any Internet.
Good work. Here's another thing to look at. One youtube ad while running librewolf Mozilla Firefox 130.0-3 spawned a "RDD" process. Apparently, it is related to "distributed media" or something like that but it seems people are talking about hackers exploiting it to run crypto mines. When RDD was spawned it took 50% of CPU load. Killing librewolf removed the RDD process.
You mean an ad from googleadservices? So TH-cam processes uploaded videos to standardize the format and scans their content, but Google Ads serves us random files just as they come?
@@turtlefrog369 Well, when I searched the issue, the results were talking about Mozilla Firefox; but I experienced that in librewold which is a fork of Firefox.
interesting you are seeing more and more of these attempts to backdoor large projects that are open source, it seems like a concerted effort but man you are just seeing it more and more nowadays. neat video eric
The explanation is simpler, because openai & others selling ai agents services and many don't care what you doing with them. One american already waiting court with 16 years jail for Spotify thing.
It's not just the big ones, I believe a lot of no name repos are probably full of malware too. We don't know for sure whether smaller projects are being targeted or not. Recently I came across a big open source AI project with thousands of stars where the developers themselves were harvesting user emails or something. Man I love to tinker and explore open source but this is holding me back. ;-;
The issue is people spamming small pulls instead of just bundling lots of documentation changes into one pull I think. It wastes maintainer time and is used to pad out contribution stats for job searching
The one thing I learned from DDLC is to be weary of the "Import os" function that game uses it pretty responsibly to Add in some spooky looking image files/deletes certain files in a subfolder of the install directory overall not malicious/harmful to the OS
The easier thing is looking at exec functions. Exec is rarely necessary for a program and using exec on some random numbers should be quite obvious redflag. If exec is used it should be obvious of what it does, because it can be a security risk even without a payload.
They're sometimes shady because it just becomes someone that's doing clout chasing and adds nothing of real value. eg: they add useless documentation based on what a LLM recommends. More commonly I see people trying to fix code issues based on having a LLM look at the code and make mass recommendations. Something like recommending that a pointer be set to null, even though it goes out of scope the very next line or something equally useless.
@@futuza, at the moment you’re the one hallucinating though. This comment thread started with assertion that documentation changes which *actually clarify or fix something* are good. And then you jump onto a non sequitur about language models.
I'm a desktop developer. I've been allergic to external function calls for DECADES. If the code isn't in my codebase or in whatever known and vetted framework I have to use, it doesn't get used at all. I'll just write my own.
Problem with this is thousands of developers like you rewriting the wheel with no-offence-intended often mediocre implementations each with their own unique bugs.
brother at that point disconnect from the internet entirely. airgap everything. do you make your own computer languages? they can be exploited just as easily as any third party project. how do you know your chip doesn't have any security flaws? or your motherboard bios download isn't getting MitM'd?
@@nestwr : What a bunch of horseshit. Compiled code can be security tested after compilation. Third party external function calls can't be, because you never know when the external code will get changed. But by your logic, I can never be completely sure someone won't dynamite my front door, shoot me, and steal everything I own, so I might as well just leave the doors open. No thanks. Reasonable precautions produce a significant benefit in the real world, where I live.
@@roboko6618 : That's why frameworks exist. Known and vetted code with established accountability for bugs to get fixed. That's fine, go ahead and use frameworks. But I'm not going to use some random person's closed source API that they shared on the internet and hope it keeps working right and isn't malicious. I trust my own skills more than I trust random people's coding skills, and I have the asymptotic decrease in bug reports on projects I've worked on to support their confidence.
This kind of obfuscation gives me so much second-hand embarrassment lol. They could have at least tried to encode the bad stuff into utf-8 white-space and make it look like some kind of actual commit. Honestly, it'd probably be less noticeable to just add the actual code and not call exec at all.
You should look at it this way, rather (and I am not that cynical myself, but for security reasons you should always overestimate the offense and underestimate the defense): if you want the gov to do something, they are lazy; if you don’t want them to do something, they are incredibly laborious.
Assuming someone looks at what was changed; It's not fooling anyone. The bigger problem is people just accepting commits without bothering to check out what changed. Once we have really good software to scan for weird stuff like this reliably, then we can let that system deal with it; But we're not there yet... at least in this repo.
Static code analysis on a PR level is the way to go here. eval, exec, base64, high entropy should all be red flags to check, especially in directories where they have no place to be in. Semgrep is a good tool for it.
This doesn't catch every case. Python has some sneaky ways of doing stuff. The simplest thing would be using __import__('builtins').exec. There are even sneakier ways like replacing the binary code of a lambda function. So manual checking is still the way to go
it would make you a pro elite wine prefix hacker while you try to join your friends on the next popular game (you will fail to do so and bootup winwows)
What worries me is not this sort of obvious bad PR's but stuff where using plausible denialability can be used. Example is a line of code where there is a bug introduced by way of poor coding that opens up a huge flaw. I'm also aware of at least three bugs I have fixed income I wrote where I did that by accident.
Another way is to add a submodule dependency to something legitimate and common, like 'fast_string_cat' Then, in a few years, after you've gotten your dependency merged into dozens of repo's, you update your fast_string_cat repository. How many devs actually code review updated submodules?
I rarely use third-party libraries because of this. I have no idea what is in the code. Unless it's something it would take months for me to do it myself or that is beyond my abilities, I'm not shipping someone else's code to users.
I think that "implement on your own" vs "use library" dilemma is kinda false - you probably should use library, because less code you maintain on your own the better and library will be proportionally to its popularity more tested and efficient, but the real issue here is that you need to trust the library's maintainers. There are always exceptions of course, so universal answer "it depends" still holds, but generally I'd say: use libraries where you can, but only if you trust their maintainers.
We need teams of people out there reviewing code on a regular basis for major open source apps. Sadly that requires lots of resources, lots of money. I'm a programmer myself, got a degree, I don't really do it anymore, but even I would have difficulty detecting something malicious or "hacker-friendly" code. Not to mention, already compiled code could been messed with by altering the given source. What we see on Github and downloading some final compiled file of that app could be different.
It would be trivial to implement a feature that when you use unsafe functions in a PR that it automatically rejects the request and asks for an explanation [and where applicable suggests safe alteratives] sure it will be a little anoying for the like 2 people who are using exec correctly but that will remove this verry hard to detect attack vector
It has. It is called static code analysis and it can be enabled for projects, but maybe they didn't have it enabled for some reason or configured it incorrectly that it didn't recognize this payload? Usually the static code analysis is done as a part of your "test" pipeline in GitHub.
This makes me skeptical of all the open source software I use- oh wait I use Linux I am cooked. Jokes apart day by day github is getting scary and my paranoia suggests that it was a scary place before but people are just finding out about it now
I'm seeing a troubling trend in professional software that may mean open source is our only path to safety, security and privacy. Unfortunately, politics is corrupting open source on a level never seen before and we may eventually have to all write our own software to ensure we're safe, secure and private. The future doesn't look good.
3:43 I wonder if github is going to do anything about it if he deleted the secondary files, they sure didn't care when the dude that made the peacenotwar malware hid all traces of it and closed all issues
Make some automated code review tool that would prevent merge if it has detects int array or hex array so that only repository owner can manually approve it if it turns out to be actual legit code. This way juniors/students just need some first project to work and therefore may not care as much on won't get to merge this. And alternatively you could block merges if line is more than 150 chars long for example so that any attempts to start line with many spaces will get caught.
There is no way this is a real intentional PR to get malware in. Even highschool me wouldn't have done such a obvious obfuscation. So I can guarantee you there have been MULTIPLE backdoors in popular open source applications right now.
I don't think that would actually disable it fully, but I might be wrong. You can test that by running some harmless command with Python exec. Even if you disable powershell, it might just execute in CMD (the older command processor).
Anyone who doesn’t like PRs which only correct documentation is someone who thinks the purpose of OSS contribution is green square clout. It’s missing the point entirely. That aspect of this malicious PR obviously isn’t the part that was problematic.
These attempts are so pathetic. It's like when I opened an issue, and someone respond with "hey, I have a fix for you, download this, and execute this here binary". If someone falls for these kinds of attempts, they shouldn't be involved in FOSS.
Who is they? Thinking about my current project, huge block of JS looks like obfuscated text, is actually raw dogging the bit register of I2C bus because linux kernel driver is more broken than a car accident.
>"innocent looking" >obvious call to exec() with obfuscated code ok. 🙄 honestly this is more indicative of the comically amateur state of open source software and the incompetent developers thereof.
Stay tuned for more movies that play in the heads of paranoid people's minds. You think nerdy github folks are prime targets for the CIA? You think the CIA doesn't have algorithms to sniff out and vet real threats versus goobers who watch too much FOX news?
Adding an obvious eval of obfuscated code as the only code change in a PR claiming to be a documentation update kind of feels genuinely _less stealthy_ than just adding the malicious code unobfuscated, lying about what it does, and hoping no one reads it though
Encoding a code like this doesn't ever have a legit usecase right? its only to bypass the automated checks
Yeah, that was dumb. Maybe it's a(n unethical) researcher testing to see how easy it might be to compromise software
@@deltamico It tries to exploit human error, that you wont notice. Yeah, sure its hard to miss but shit happens. Obviously it wont pass any human that notices it and has 2 brain cells working to check wtf is this even doing.
@@paxcoderatp there’s no difference between a “researcher” and “attacker”
@@undefinedchannel9916 I'm not quite sure what you're trying to say. There should be a difference between a black hat hacker and someone who does research.
People doing these are the malware of Mankind
they most likely will live a happy life :D
@@uhohwhy Not if I can help it!
@@zakyia keep dreamin
@@uhohwhy nah buddy, there's something called karma, god will take from you as much as you took from people
@@turkym7md5 thats a myth
scriptkiddie level of "stealth"
Unfortunately that's still sophisticated enough to rekt people
I read skibidi
@@ouss skiddie toulet
@@ouss You're not too far off. It's the same level of brainrott scriptkiddies have
@@ouss skididi kiddie
1990's virus: hello
2024's virus: i am gonna hide in your files, decode myself, download another one, decode that one too and then DOWNLOAD another one.
90s viruses tended to be a lot more sophisticated imo.
@@eadweard. Like "I am hiding in your MBR and wait for 30 boots or until 12th December to run the payload."
@@eadweard. 90's malware compared to today's malware is SUPER basic.
@@Sypaka That sort of thing, plus self-modifying code, ploymorphic encryption, remaining resident in atypical locations like video memory. They had to spread using a few bytes and no Internet access.
@@su-25frogfoot74 Other way around I'm afraid.
Why do people try this method anyway? Obfuscated code is the biggest red flag of all. It would be detected immediately. Especially in large/popular repos where maintainers check commits for malicious code before accepting.
cause they only need 1 slip up
Does github have a flagger to users who submit obfuscated code to huge public repositories?
Reminder that the XZ backdoor was only caught because some dude noticed SSH takes 0.5 seconds longer than it used to, not because it was caught in code review
@@lolwutizit reminder that Jia Tan wasn't as stupid as the people trying to insert these. he didn't just put execute an obfuscated string made in a for loop from a character array
it was a combination of binary test files (which is fine and expected for a compression utility, but the ones Jia Tan added were never used in any actual tests, see cf44e4b in the xz repo) and a configuration script to insert the backdoor into distributed tarballs
that isn't to say that the code is safe just based on how safe the diff looks; it's just that the people doing these python backdoors are idiots targeting idiots. unless the maintainer suffers a stroke in the middle of code review, this would never pass
@@soccerguy2433 This. Once you let them get on the other side of the airtight hatch, they can wreak all kinds of havoc.
"until automated scanning gets better", this is a worse issue, when people start trusting automated scanning. attackers just need to bypass that, as people will be less likely to review code and automated scanning won't be able to catch "new" attacks, there MUST be HUMANS reviewing code.
And where the scanning is automated, you can automate the bypass search.
@@0LoneTech but then it'd be a centralized battle between those writing the code for the automated search and those writing the malicious code themselves, as opposed to right now where those writing the malicious code are effectively automated and centralized currently already, attacking tons of people who may not know they are being attacked and have to manually review if they are being attacked
also: it's another hoop they do have to jump through to do their malicious activities, which would probably help get rid of a good chunk of these extremely simple and obvious attacks because it'd be too much effort for them (idk if you couldnt already tell, but they are extremely lazy lol)
I mean automated scans are the bare minimum. Lot of devs are not even doing that one!
Yes if people get lazy and start relying on automation then open source loses the main thing it has going for it security wise over proprietary. They can be a component but they shouldn't be the only thing we do.
I mean if he would have hidden this in a huge PR then it might have slipped through but this is just lazy.
"might have slipped through"? I really do hope that you are kidding. What are the static code analyzers made for, if not to filter the problematic parts like these _before_ compilation / transpilation?
Devs are fckn lazy these day.
@@temp50 what code base are you actively managing?
@@temp50
I'm really not kidding. Most small projects don't use code analyzers.
Some projects might take security more serious than others but I don't believe that slipping in a payload would be particularly difficult in smaller projects.
"Devs are fckn lazy these day." is also an insane take.
Honestly I felt insulted by how obvious of a payload that was
5:07 i saw the command "termux-setup-storage" which only exists in android terminal emulator named termux and grants the storage permission
so the payload asks for storage permission, then proceeds to just wipe half the phone
cool!
that command is used to give Termux access to storage. Running this command for no reason will NOT wipe your phone. It will wipe ONLY whats set as your ~/storage. If you are dumb enough to set your root (/sdcard or /storage/emulated/0) as storage in Termux, it COULD wipe your stuff, except it wouldnt due to missing privileges.
@Sharpless2 i said 'that script' not 'that command'
bad word pick ig
@@Sharpless2 also considering android updates, it is even worse regarding privileges?
i smell andriod malware upon seeing the termux-setup-storage line of code
@@SanekGamer007 no, the word choice was fine. The commenter just has bad reading comprehension
3:39 gagal means fail in Indonesian / Malay
Nowhere nearly as sophisticated as Jia Tan. This is script-kiddie level.
I love your profile picture lmao
Jia Tan was hardcore. Definitely some S tier black hat hired by god knows who.
I'd expect better of even script kiddies tbh...
This one is hilariously obvious. There's only two lines added too, so it's not like it's even able to be missed on review.
Using exec in python is also basically a no-no to begin with, even for non-malicious code. I'd bet your run-of-the-mill linter would catch it for that reason alone.
@@bountyjedi"I'd expect better of even script kiddies"
You shouldn't. Commonly they're literal children (like middle school age) whose training consists of nothing but a couple TH-cam videos like "HOW TO HACK WITH KALI LINUX -- REAL TUTORIAL"
@@sid6645 Jia Tan is aggent77. in other words CIA Man.
How it actually happens is that the package maintainer is threatened in real life and forced to merge something. That's it. No normal people would merge this crap
this is like the A=1 B=2 cipher of attempting malicious code. did a 13 year old do this
most likely
An AC y/o did this, for sure! 😁
Not "like", that's literally what it is (except the numbers are different)
me watching this who casually downloads hundreds of random projects from github without reading the code 💀
same lol
most of them are safe since owners wont merge these prs
omg just read this while installing 5 github projects through winget 😭
@@Pepo..Hehe, interesting timing. But this is an old problem. Our civilization long ago passed the point any single person could vet our tech/knowledge. Like it or not, we rely on overlapping networks of trust.
Tell that to Pinokio Ai launcher which was very problematic to run in Windows because it always triggers safeguards, until current version. That thing automatically installs github projects by script at fast speed. It delivers the promises but i would recommend to turn off PC physically from any Internet.
Pushing an obfuscated code as random array is red flag enough.
this youtube channel appeared in a dream i had and i don't know why
There can be no doubt. You are the chosen one.
Maybe you've seen it before and forgot about it
u might got hacked in another timeline and that is the echo from u warning u
@@pixelcatcher123His brain got hacked
Fated to be
Good work. Here's another thing to look at.
One youtube ad while running librewolf Mozilla Firefox 130.0-3 spawned a "RDD" process.
Apparently, it is related to "distributed media" or something like that but it seems people are talking about hackers exploiting it to run crypto mines. When RDD was spawned it took 50% of CPU load. Killing librewolf removed the RDD process.
It's a marvel ad providers are still not held accountable for stuff like that, and yet they'd like to control what you say.
You mean an ad from googleadservices? So TH-cam processes uploaded videos to standardize the format and scans their content, but Google Ads serves us random files just as they come?
@@Fiufsciak TH-cam is actually doing a lot to protect it's customers... no, not us, we are "Users", the Advertisers, they bring in the money.
it only affected librewolf?
@@turtlefrog369 Well, when I searched the issue, the results were talking about Mozilla Firefox; but I experienced that in librewold which is a fork of Firefox.
5:37 i think "facebook hack" is like they send this to ppl on facebook or using a zeroday to run it or something like that
"Is this here intentionally?"
When your coworker did something extremely dumb, but you still try to be professional instead of calling them an idiot.
This is how to tell the diff btw a regular coworker and a friend coworker. Cus a friend i would prob be like: bruh wtf
interesting you are seeing more and more of these attempts to backdoor large projects that are open source, it seems like a concerted effort but man you are just seeing it more and more nowadays.
neat video eric
Cyber attacks are becoming more frequent worldwide. It's not a surprise.
The explanation is simpler, because openai & others selling ai agents services and many don't care what you doing with them. One american already waiting court with 16 years jail for Spotify thing.
It's not just the big ones, I believe a lot of no name repos are probably full of malware too. We don't know for sure whether smaller projects are being targeted or not.
Recently I came across a big open source AI project with thousands of stars where the developers themselves were harvesting user emails or something. Man I love to tinker and explore open source but this is holding me back. ;-;
More backwater third world countries got internet access?
Fuck off racist twat, those countries are only backwater because we exploit them and turn them into smoking crater when they dare revolt.
idk, writing or fixing documentation isn't a job most people like to do so I think it's just as valid as a small bug fix.
The issue is people spamming small pulls instead of just bundling lots of documentation changes into one pull I think.
It wastes maintainer time and is used to pad out contribution stats for job searching
The one thing I learned from DDLC is to be weary of the "Import os" function that game uses it pretty responsibly to Add in some spooky looking image files/deletes certain files in a subfolder of the install directory overall not malicious/harmful to the OS
Please use punctuation, I almost died reading that, no offense.
I literally died reading that. (take offense)
The easier thing is looking at exec functions.
Exec is rarely necessary for a program and using exec on some random numbers should be quite obvious redflag.
If exec is used it should be obvious of what it does, because it can be a security risk even without a payload.
Why would I get tired of a function?
*wary
"Um... whatcha got there?"
"A smoothie"
if you see anything that even resembles this in a PR and it doesn’t set off every alarm bell in your brain please quit programming forever
Docs only pulls are great if you actually clarify or fix something. I have never had a PR like that rejected.
They're sometimes shady because it just becomes someone that's doing clout chasing and adds nothing of real value. eg: they add useless documentation based on what a LLM recommends. More commonly I see people trying to fix code issues based on having a LLM look at the code and make mass recommendations. Something like recommending that a pointer be set to null, even though it goes out of scope the very next line or something equally useless.
@@futuza"Now that I fixed 1 line of grammar, I can finally add 'AOSP Contributor' in my bio 🥸"
@@futuzaadding and fixing documentation adds value though.
@@mina86 Sure, if it was actual documentation and not AI generated slop that may be completely hallucinatory.
@@futuza, at the moment you’re the one hallucinating though. This comment thread started with assertion that documentation changes which *actually clarify or fix something* are good. And then you jump onto a non sequitur about language models.
I'm a desktop developer. I've been allergic to external function calls for DECADES. If the code isn't in my codebase or in whatever known and vetted framework I have to use, it doesn't get used at all. I'll just write my own.
Problem with this is thousands of developers like you rewriting the wheel with no-offence-intended often mediocre implementations each with their own unique bugs.
brother at that point disconnect from the internet entirely. airgap everything. do you make your own computer languages? they can be exploited just as easily as any third party project. how do you know your chip doesn't have any security flaws? or your motherboard bios download isn't getting MitM'd?
kinda based ngl, i should also give practices like "minimising external function calls to a bare minimum" a try
@@nestwr : What a bunch of horseshit. Compiled code can be security tested after compilation. Third party external function calls can't be, because you never know when the external code will get changed. But by your logic, I can never be completely sure someone won't dynamite my front door, shoot me, and steal everything I own, so I might as well just leave the doors open. No thanks. Reasonable precautions produce a significant benefit in the real world, where I live.
@@roboko6618 : That's why frameworks exist. Known and vetted code with established accountability for bugs to get fixed. That's fine, go ahead and use frameworks. But I'm not going to use some random person's closed source API that they shared on the internet and hope it keeps working right and isn't malicious. I trust my own skills more than I trust random people's coding skills, and I have the asymptotic decrease in bug reports on projects I've worked on to support their confidence.
This kind of obfuscation gives me so much second-hand embarrassment lol. They could have at least tried to encode the bad stuff into utf-8 white-space and make it look like some kind of actual commit. Honestly, it'd probably be less noticeable to just add the actual code and not call exec at all.
this is far too obvious it makes me feel like this could have been done to attempt to cover up some actually hidden backdoor somewhere else
06:09 also check if standard library has what you want
I always assume these kinds of attacks are State actors.
Only a government employee would be so lazy.
well, State actors attacking stuff are more subtle (jia Tan, Pegasus, etc), this is really script kiddy stuff
You should look at it this way, rather (and I am not that cynical myself, but for security reasons you should always overestimate the offense and underestimate the defense): if you want the gov to do something, they are lazy; if you don’t want them to do something, they are incredibly laborious.
Assuming someone looks at what was changed; It's not fooling anyone. The bigger problem is people just accepting commits without bothering to check out what changed. Once we have really good software to scan for weird stuff like this reliably, then we can let that system deal with it; But we're not there yet... at least in this repo.
Static code analysis on a PR level is the way to go here. eval, exec, base64, high entropy should all be red flags to check, especially in directories where they have no place to be in. Semgrep is a good tool for it.
This is why I loved how Linus Torvalds ripped people a new asshole for making bad Linux kernel pull requests
04:38 add `exec=print` to start of file?
This doesn't catch every case. Python has some sneaky ways of doing stuff. The simplest thing would be using __import__('builtins').exec.
There are even sneakier ways like replacing the binary code of a lambda function.
So manual checking is still the way to go
@@snudget Maybe the only safe way is not to copy-paste any into Python at all. e.g. load the string from another file, or load the list as json
@@AlexanderVulpes only safe way to do this is compile custom python version.
or use a find and replace ffs this was painful to watch
exec=raise Exception('PANIC PANIC PANIC')
You have been making absolute bangers of videos recently man.
if i write some in batch code will that make me a pro hacker since batch is a hacker languge
No
@@EL_DIABLOMATEO09ik im jokin😭
Yes
it would make you a pro elite wine prefix hacker while you try to join your friends on the next popular game (you will fail to do so and bootup winwows)
a leet one, even! 🔢🔡🔣👨💻
What worries me is not this sort of obvious bad PR's but stuff where using plausible denialability can be used. Example is a line of code where there is a bug introduced by way of poor coding that opens up a huge flaw. I'm also aware of at least three bugs I have fixed income I wrote where I did that by accident.
Lmao he changed literally 2 files and thought no one would notice bruh
i think he is from indonesia, the word sandi and gagal is indonesia word
Name also likely indonesian 😅
His youtube channel is linked in GitHub so yeah, he seems to be
probably Indonesian high school kids that just learned to code and want to be naughty
I can't believe his parents named him Evil Dojo 666, so progressive.
2:20 it is nice enough to close the connection it opened so it has that going for it
my anxiety watching you paste the malicious code into your IDE 📈📈📈
How convenient for corpos who need to fix their reputation known for bad code, privacy concerns or even security breaks.
Another way is to add a submodule dependency to something legitimate and common, like 'fast_string_cat'
Then, in a few years, after you've gotten your dependency merged into dozens of repo's, you update your fast_string_cat repository. How many devs actually code review updated submodules?
That's the sloppiest shit I've ever seen
I rarely use third-party libraries because of this. I have no idea what is in the code. Unless it's something it would take months for me to do it myself or that is beyond my abilities, I'm not shipping someone else's code to users.
And this is not how modern web development works. I don't think anyone has read most of what's on npm for a decade *scared face emoji goes here*
You might as well not use the internet, every software or website ever made relies on "third party" libraries
I think that "implement on your own" vs "use library" dilemma is kinda false - you probably should use library, because less code you maintain on your own the better and library will be proportionally to its popularity more tested and efficient, but the real issue here is that you need to trust the library's maintainers. There are always exceptions of course, so universal answer "it depends" still holds, but generally I'd say: use libraries where you can, but only if you trust their maintainers.
Lets all love Lain!
( i was kinda little confused when saw lain as user directory in PS, because i have it too XD )
Such a low-effort attempt, I feel bad for this guy
We need teams of people out there reviewing code on a regular basis for major open source apps. Sadly that requires lots of resources, lots of money. I'm a programmer myself, got a degree, I don't really do it anymore, but even I would have difficulty detecting something malicious or "hacker-friendly" code. Not to mention, already compiled code could been messed with by altering the given source. What we see on Github and downloading some final compiled file of that app could be different.
Gagal basically means "Failed", on Malaysian/Indonesian Language.
I like how you broke it down and opened it up in a virtual machine, you should do more! Really enjoyed it
It would be trivial to implement a feature that when you use unsafe functions in a PR that it automatically rejects the request and asks for an explanation [and where applicable suggests safe alteratives] sure it will be a little anoying for the like 2 people who are using exec correctly but that will remove this verry hard to detect attack vector
Why has github no virus scanner, that slaps a big red warning on any code strings like this? Must be not to difficult to detect.
It has. It is called static code analysis and it can be enabled for projects, but maybe they didn't have it enabled for some reason or configured it incorrectly that it didn't recognize this payload? Usually the static code analysis is done as a part of your "test" pipeline in GitHub.
And sometimes they have funny names like Linus Torvalds.
gagal means fail
This makes me skeptical of all the open source software I use- oh wait I use Linux I am cooked. Jokes apart day by day github is getting scary and my paranoia suggests that it was a scary place before but people are just finding out about it now
Don't be overdramatic lmao just be vigilant and careful when running untested stuff from GitHub
surely no one is actually merging these PRs? its so obviously malicious code.
I have not once encountered an open source project that wasn't happy to receive documentation updates. Since when have they been "controversial"?
Good lord these hackers would actually be worth something if they went out and spent time building better software. What a waste of life.
These people are dragging humanity backwards.
They’re trying to make “open source” no longer safe to exist.
I'm seeing a troubling trend in professional software that may mean open source is our only path to safety, security and privacy. Unfortunately, politics is corrupting open source on a level never seen before and we may eventually have to all write our own software to ensure we're safe, secure and private. The future doesn't look good.
The most terrifying part, once in a while they get merged.
it's all jia tan's fault
Not me thinking he was going to open Photoshop somewhere in the video.
3:43 I wonder if github is going to do anything about it if he deleted the secondary files, they sure didn't care when the dude that made the peacenotwar malware hid all traces of it and closed all issues
as indonesian i know this guy and i feel ashamed
20/1 odds some proprietary company is behind these. OpenAI I'm looking at you
You know what's more infuriating? I report malicious content to domain registrars and hosting providers, and they do absolutely NOTHING about that
I hope there are automated checks watching for this, and not just other contributors and managers
Love how the username is `evildojo666`. This wasn't even a sophisticated attack. It was the most blatantly obvious attack I've ever seen 🤣
Make some automated code review tool that would prevent merge if it has detects int array or hex array so that only repository owner can manually approve it if it turns out to be actual legit code. This way juniors/students just need some first project to work and therefore may not care as much on won't get to merge this. And alternatively you could block merges if line is more than 150 chars long for example so that any attempts to start line with many spaces will get caught.
There is no way this is a real intentional PR to get malware in. Even highschool me wouldn't have done such a obvious obfuscation.
So I can guarantee you there have been MULTIPLE backdoors in popular open source applications right now.
Automated scanners? that's never been foolproof in the past.
Not only the exec should be suspicious. Also the list of integers is suspect. There's no reason why you need an unnamed list of integers...
use exec=print to overwrite it
If someone thinks this is a real backdoor, this is just an AI anti-backdooring engine test
This is like one of my pr's in work... turning 2 lines of code into a 10 minute conversation...
At least these here are very obvious, assuming the reviewers actually review everything
i know it's off-topic, but just by seeing "e/acc" in the username i have an immediate disgust response
novice here, if i disable powershell in optional windows features would I be immune to the malware that try to run powershell scripts/commands?
I don't think that would actually disable it fully, but I might be wrong. You can test that by running some harmless command with Python exec. Even if you disable powershell, it might just execute in CMD (the older command processor).
@@theRPGmaster ah yeah that's a good point
Anyone who doesn’t like PRs which only correct documentation is someone who thinks the purpose of OSS contribution is green square clout. It’s missing the point entirely. That aspect of this malicious PR obviously isn’t the part that was problematic.
These attempts are so pathetic.
It's like when I opened an issue, and someone respond with "hey, I have a fix for you, download this, and execute this here binary".
If someone falls for these kinds of attempts, they shouldn't be involved in FOSS.
By the way the else function that print “gagal”, it’s an Indonesian languange means “failed”
Thanks for the video it's really eye opening. I used to like just use whatever without reading lol
Good video. And info.
As an aside - notice how quickly that microsoft 'update' fiasco died down?
I mean...it wasn't a small thing eh?
this is not a "innocent looking PR" ad the Alex Cheer describes it LOL
embarrassing how they think they can get away with it
Who is they? Thinking about my current project, huge block of JS looks like obfuscated text, is actually raw dogging the bit register of I2C bus because linux kernel driver is more broken than a car accident.
>"innocent looking"
>obvious call to exec() with obfuscated code
ok. 🙄
honestly this is more indicative of the comically amateur state of open source software and the incompetent developers thereof.
"There's no such thing as a free lunch".
At least these mfs are here to remind us of that. A necessary evil, dare I say.
"Is this here intentionally?"
dtnewman knows what's up.
Going to start reading some of the source code for open source software I use.
bro is not jia tan
The Reddit Writes Code one is just a rickroll, I decoded it. They used Unicode characters to obfuscate it + selenium to open the link in a browser
Wouldn’t be surprised if it’s someone’s job at the CIA to just try and put these in as many open source projects as possible
Stay tuned for more movies that play in the heads of paranoid people's minds. You think nerdy github folks are prime targets for the CIA? You think the CIA doesn't have algorithms to sniff out and vet real threats versus goobers who watch too much FOX news?
Unfortunately, automated scanning with be met with a ton of automated scamming.
That dude must have lost his job to the U-net 😭
stealthy vm video when? :c teased it but hasn't dropped yet haha
pretty sure the string @ 3:58 was base64 encoded ..
I’m surprised this kind of shit doesn’t get caught by their CI? Exec and eval should be used so rarely.