- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Well that’s certainly no light read - I’ll admit that I’ve only read the first six sections of the document for now
The crux of it that I could see was the initial repo that was backdoored contained a malicious Windows command in the PreBuildCommand field of .vbproj file
My initial thoughts would be that it might be advisable for build tools to confirm any defined build commands with the user when it detects a command not seen before?
I suppose otherwise the argument could be made that if you’re downloading and compiling code that is backdoored, if you’re not checking .vbproj or equivalents, you’re probably also not auditing any source code either and you’re being pwned either way.
A lot of malware-adjacent stuff, like exploit demonstration code, has contained its own malware targeting the user. Probably best to run stuff like that in a container or VM.
Agreed - the end of the article does state compiling untrusted repos is effectively the same as running an untrusted executable, and you should treat it with the same caution (especially if its malware or gaming cheat adjacent)
