this post was submitted on 29 Feb 2024
204 points (98.1% liked)

Open Source

31061 readers
583 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 39 points 8 months ago

I don't see how "scammers creating scam repos" [2] is newsworthy at all. At least the headline seems like a big nothing-burger to me.

farther down in the article are 2 interesting informations, namely this diagram [1] and the fact that scammers seem to have moved from pip to github, and then started to use forks to make their scam-clones appear more believable.

[1] https://apiiro.com/wp-content/uploads/2024/02/Malicious-Package-Timeline.png

[2] 1000 guys make 1000 clones of 1000 legit libraries, and than create 1000 forks of their clones, to make them seem more legit than the original lib. 999 of each 1000 clones get autofiltered by github

--> 100010001000*1000/1000 = 1.000.000.000 infected repos(inkluding forks) and 1.000.000 (wihout forks).

so the number of 100.000 infected repos doesn't seem to be interesting or unexpected in any way.