A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.

The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.

Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.

  • ipkpjersi
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    I kind of disagree. Applications often require root permissions to install themselves, since regular users can’t access certain folders like /opt, etc.

    Also, do you really think that people would actually read the source and then compile all their software themselves? Do you do the same?

    Generally though I do agree, you’re probably fine installing software from your distro’s repos but even that’s not bulletproof and also it’s not like third-party repos are uncommon either.

    • rufus@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Yes. I do it the correct way. I use my favourite distro’s package manager to install software. This way it’s tested, a few people had a look at the changes, and sometimes a CI script automatically determines if the installer affects other parts of the system. I go to great lengths to avoid doing it any other way. (I’ve been using some flatpaks in recent times, though. But sometimes I also install it only for a separate user account. Mainly when it’s proprietary or niche.)

      It is super rare that I install random stuff from the internet. Or ‘curl’ and then pipe the installer script into a root shell. And when I do, I put in some effort to see if it’s okay. I think i had a quick glance at most of the install .sh scripts before continuing. So yes, I kinda do my best. And I isolate that stuff and don’t put it on the same container that does my email.

      Most of the times you can avoid doing it the ‘stupid way’. And even the programming package managers like ‘npm’, ‘cargo’, … have started to take supply chain attacks seriously.