Ancestors

Toot

Written by Pierre Beyssac ✅ on 2024-10-10 at 10:38

Important heads-up to the libre/open source and github communities: there are numerous phishing sites (*) targeting github, very possibly for future attacks involving malicious code insertion in github projects. Be very careful when/where you give your credentials. Configure all your accounts to use 2FA.

(*) eu.org blocked dozens of phishing domains in the past months targeting github and it shows no sign of slowing down, on the contrary.

=> More informations about this toot | More toots from pb@mast.eu.org

Descendants

Written by Pierre Beyssac ✅ on 2024-10-13 at 11:23

Now for a surprise, after talking with the owner of one of the blocked sites.

They use the following software (or a fork of it):

https://github.com/nICEnnnnnnnLee/GithubSoEasy

It's a Github proxy allowing Github access from China (Github is blocked in China).

It looks like phishing and it can be used for phishing. There's even a section "how not to be blocked following a Netcraft report" in the README, by restricting access.

=> More informations about this toot | More toots from pb@mast.eu.org

Written by Valentin C. on 2024-10-10 at 13:57

@pb supply chain attacks... just like xz utils.

I'm actually surprised we didn't see more of those earlier... and TBH I don't even see how we can safely prevent them.

=> More informations about this toot | More toots from shavounet@piaille.fr

Written by Pierre Beyssac ✅ on 2024-10-10 at 14:44

@shavounet shit happens, nothing new here. But you can take basic elementary measures like protecting your account.

=> More informations about this toot | More toots from pb@mast.eu.org

Written by Valentin C. on 2024-10-10 at 15:37

@pb oh I don't worry about my account, but when critical projects rely on benevolent open source projects hosted in a centralized point of failure, I don't see how massive attacks are not happening... (maybe I'm just too pessimistic)

Or may be they do 😅

=> More informations about this toot | More toots from shavounet@piaille.fr

Written by Thomas Broyer on 2024-10-13 at 13:09

@pb If you can, use a passkey to login.

If you can't, use a FIDO security key as a second factor (you might have already given your password to the phishing site but at least you'll detect it was phishing and could change your password, and your FIDO 2FA will protect you until then).

If you can't use FIDO, setup 2FA however you can, it'll always be better than relying on a password only.

Also, password managers can help detect phishing sites.

=> More informations about this toot | More toots from tbroyer@piaille.fr