jsawk may contain MALWARE #1544
Comments
|
The issue you linked to was created by you and the assertion you make therein is simply wrong. This is |
|
To be clear: I don't see any indication that |
|
Go look at someone else that isn't me posting that the author's server was compromised by malware which may have then been injected into the jsawk codebase. I did unminify and deobfuscate the code and it looks altered from the original underscore.js library. See here: And micha/jsawk#53 |
|
Homebrew doesn't link to the upstream homepage at all that has been allegedly compromised, nor do we serve code from there. Web server vulnerability doesn't automatically === code vulnerability. If your claims are independently verified by a trusted third-party we'll consider further action, but as-is the burden of proof hasn't been met. |
|
Understood. But the point is that the author doesn't understand how to keep their resources secure and that is putting users at risk for an existing / future backdoor in his code that WILL be injected at an opportune time when fewer are looking -- eg. holiday season. The author's git / ssh / gpg keys may be compromised due to what we already know around the fringes. Further, obfuscated and minified javascript code in a bash file is incredibly suspect. As far as I can tell, that code is NOT the original underscore.js library and no one at jsawk nor homebrew has audited that suspicious code. FYI -- VirusTotal flagged it already so that should be your trusted third party. |
|
Code should be readable so people can understand it. Otherwise it will not be well reviewed and audited. Dropping malware into a "compressed and obfuscated and minified payload" is exactly the place a malicious author or attacker would hide their bad stuff. Importing a known library is fine if it is readable. The original underscore.js is in plaintext and readable. This is not acceptable for a project to include obfuscated code in an open source project. My suggestion is to reference the resource from a trusted, verified upstream source and then pull it in as a dependency like any other package subsystem would. And provide the installing user an option to minify it or keep it in original form so they may audit it as well. That way you know you have the right code and it is not duplicated across projects nor backdoored. As it stands right now, no one has audited that code and 1000's of woke have started this project, making it a prime target. We already know he developers email was probably hacked. |
|
I did some sleuthing into the matter to make myself feel a little warmer/fuzzier. I feel both. It is in fact a minified version of Underscore.js 1.8.2. |
|
No worries. Thanks for the update on the decompressed version of the JavaScript. Makes me feel easier too. The problem was the authors website was hacked. |
jsawk is MALWARE
See micha/jsawk#53
The text was updated successfully, but these errors were encountered: