I reported this repo almost 3 weeks ago, but still nothing.
wrote:A man can be himself only so long as he is alone; and if he does not love solitude, he will not love freedom; for it is only when he is alone that he is really free.
[quote=UCyborg post_id=1421341 time=1778269743 user_id=31848]
I reported [url=https://github.com/akutayo2/GPlayApiCli]this repo[/url] almost 3 weeks ago, but still nothing.
[/quote]
github is owned by the biggest malware of em all, microsoft
How do you know it's malware?
I was thinking the same. Circumventing Google's user identification/authentication might break their terms of service, but not malicious on its own.
The user in question has forked the repository and then the only change was to replace the release download. So yes, there's a good chance they've infected it with malware.
https://www.virustotal.com/gui/file/3f22e6637 … ed68148f483c545
Somehow, the only reason it ended up on VirusTotal, is me. 😀
Arbitrary ZIP inserted into the source tree, the malicious author force-pushes the same commit multiple times a day to inflate his contribution count, a legitimate developer would totally do that. /s
Repo was published as new, bypassing fork function (valid way to go in some cases, but the ill-intent in this case), readme changed to direct user to the malicious payload, the ZIP itself contains Lua interpreter, obfuscated script and a CMD to invoke Lua interpreter to execute the script. The script silently generates additional executables and installs scheduled tasks to run them.
That report on VirusTotal is not complete, it doesn't answer the question what generated executables do.
And that POS appears on top on popular search engines while the legitimate repo is hidden from plain sight. 😠 Though I haven't figured out Gradle / Java to get it to run...
wrote:A man can be himself only so long as he is alone; and if he does not love solitude, he will not love freedom; for it is only when he is alone that he is really free.
User is doing this probably to make the Github graph green
previously known as Discrete_BOB_058
UCyborg wrote on Yesterday, 19:49:I reported this repo almost 3 weeks ago, but still nothing.
These kinds of "supply chain attacks" are becoming increasingly prevalent I've noticed and it's very hard to get the attention of administrators unless this is some "ABSOLUTELY CRITICAL" internet appliance.
I'd inform the main upstream repo that's being victimized by such poisoning and see where it goes from there.
“I am the dragon without a name…”
― Κυνικός Δράκων
The popularity of vibe coding opens the door to a lot of these types of issues. Most people using LLM's to code are not going to verify the legitimacy of the random github repos being using.
I bet that is the scenario here. The bad actor forks a repo, modifies it for bad purpose, makes it look active/maintained, gets it to rank in search results, then waits for LLM models to utilize it when people vibe code stuff.
I'm not a developer, just dabble a bit. If I'm seeing this regularly in Github, then the problem is probably widespread.
