New node-ipc update deletes your harddrive if you have a russian or belarusian ip address. Pushed via github. It's kind of unprecedented for FOSS to do something like this, but it happened.
They didn't troll russians though; they ended up deleting evidence of russian war crimes against ukranians and leftist NGO's are going to have them arrested for terrorism.
github com/RIAEvangelist/node-ipc/issues/233
reddit com/r/linux/comments/tg9zk1/the_authors_of_nodeipc_have_pushed_malware_in_an/
Other urls found in this thread:
github.com
news.ycombinator.com
twitter.com
OKay but, why tf does any of this matter?
Death to Open Source
github.com
github filled with salt
it matters because the malware was pushed through an official chain and this was a dependency for a lot of shit. Unity even uses it; that means if you have ANY game that uses unity; and it got this update
>Kerbal Space Program uses unity
it deletes your hard drive
It's like if Microsoft pushed malware in a directX 12 update.
github literally hosted a geotargeted virus. if they can do it to select countries they can do it to individuals.
this is seriously unprecedented and serious business.
>Update Windows
oops! your entire hardrive is gone! slava ukranina!
reminder to NEVER AUTO UPDATE.
disable auto update on all of your shit.
only update during peak hours where if there was a poisoned update you'd hear about it rapidly (hopefully before you updated that day)
>every game using unity has it's hard drive wiped
i'm thinking this would be international news, mate. you're clearly not reporting what actually happened.
>turning off auto-updates
>microsoft windows 10 and above
let me know if you figure it out.
it only affected Belaruse and Russian ip addresses. The malware checked what your ip address was and only nuked that.
It's a fucking javascript module it's in everything.
here's your news faggot
news.ycombinator.com
>wiping hard disk based on IP address
the absolute state of software devs. even if you take being a massive activist faggot as a given, how can you not foresee that this will backfire in various ways?
on another note, all of those "modern" software projects out there that pull in 200 packages from every tranny on the internet can't be used securely in production without dedicated teams to vet them. that goes for node, golang, rust, all of that shit.
they should have known better.
>
i'm not spending 45 minutes trying to get around Any Forums's fucking spam filter to post news articles. Google it. News is starting to drop now it just happened today.