Hacker News new | past | comments | ask | show | jobs | submit login

I get why people are focusing on this bad actor. But the question that interests me more: how many other apparent individuals fit the profile that this person presented before caught?



Apparently, many.

It looks like gettext may be containing a part of their attack infrastructure.

https://github.com/microsoft/vcpkg/pull/37199#pullrequestrev...

https://github.com/microsoft/vcpkg/pull/37356/files#diff-e16...

https://github.com/MonicaLiu0311


Are you referencing the '-unsafe' suffix in the second link? That is not something to worry about.

This is from Gnulib, which is used by Gettext and other GNU projects. Using 'setlocale (0, NULL)' is not thread-safe on all platforms. Gnulib has modules to work around this, but not all projects want the extra locking. Hence the name '-unsafe'. :)

See: https://lists.gnu.org/archive/html/bug-gnulib/2024-02/msg001...


They may be right: https://git.alpinelinux.org/aports/log/main/gettext

Timeline matches and there is a sudden switch of maintainer. And they add dependency to xz!


psykose was a prolific contributor to Alpine's aports, with thousands of commits over the past few years[0]. So, I doubt They're involved.

[0]: https://git.alpinelinux.org/aports/stats/?period=y&ofs=10


JiaT75 was also a prolific contributor to xz over the past few years, so your assumptions are generally invalid at this point.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: