Over 100,000 Infected Repos Found on GitHub- Im concerned as i use obtainium as recommended

Viper · March 3, 2024, 4:26am

Hi as per title, should we be worried if we’re using obtaininum?

archerallstars · March 3, 2024, 5:35am

I doubt this issue is limited to Obtaininum, since this could happen to any software that you get from anywhere else (both open source and proprietary software) if they use the libs or the packages from those malicious repos in their apps, etc.

Viper · March 3, 2024, 5:50am

can we do anything to limit our damage if it were to occur? Limit how many apps we install? Go back to fdroid?

archerallstars · March 3, 2024, 5:54am

If you can’t trust your apps’ developers, the only thing you can do is to uninstall the apps.

exaCORE · March 3, 2024, 5:56am

It doesn’t seem to be an issue of too much concern, just be vigilant and careful and only use reputable software. While this articles says these are advantages for attackers (and perhaps they are), it makes attacks not as likely on users IMO

xe3 · March 3, 2024, 5:59am

Know what you are installing, know who the actual developer is and how to find the official versions of that software.
Source it through legit official channels (direct from the developer or a 3rd party you trust as much or more than the developer)
Hope that the developers of the software you use are also careful themselves when it comes to #1 and #2

rollsicecream · March 3, 2024, 10:28am

And also checking digital signatures is a good thing to do.

SkewedZeppelin · March 3, 2024, 2:41pm

From what I understand these are all typosquatted repos/forks, not actual compromised original/official repos.

I mentioned this as an issue previously:

Viper · March 4, 2024, 3:21am

Hmm so I’m guessing i should prioritise where i get my apps, as follows:

Gplay store
Fdroid
Github/Obtainium (last resort)

Is that a better upgrade?

Tech-Trooper · March 4, 2024, 10:17am

Is there any app you cannot find in either Google play/aurora store or fdroid?

anonymous159 · March 4, 2024, 10:57am

why play store over fdroid???

Viper · March 5, 2024, 1:28am

I think because playstore removes apps that are malicious and fdroid doesnt. Safer.

exaCORE · March 5, 2024, 1:35am

That isnt true. The main issue revolves around how fdroid signs apps itself versus how GP uses dev signed apps (fdroid is working on using reproducible builds, but there are a couple other security issues with fdroid that im not too familiar with. I still love fdroid though and use it instead of google play )

SkewedZeppelin · March 5, 2024, 2:27am

@exaCORE
Google Play signs apps too these days.

If you haven’t already done so, enroll in Play App Signing, which is the mandatory way to upload and sign all new apps since August 2021.

And nearly all new apps on F-Droid are developer signed.

exaCORE · March 5, 2024, 2:45am

Ah! Thanks for the information! Is this done through reproducible builds?

rollsicecream · March 9, 2024, 7:12pm

I think that, yes, that’s the case.

Topic		Replies	Views
GitHub comments abused to push malware via Microsoft repo URLs Off Topic software	2	235	April 21, 2024
What about Thorium Browser? Tool Suggestions invalid	2	2286	October 17, 2023
Mullvad Browser Trojan:Script/Wacatac.B!ml Questions browsers	20	1103	April 9, 2024
SSH backdoored by xz compression library in Fedora 40 Beta, Fedora Rawhide, Debian Sid, openSUSE Tumbleweed (+ likely other distros) Privacy	24	905	April 1, 2024
Midori Browser (Gecko Browser for Desktop, Android) Tool Suggestions rejected	22	1365	November 24, 2023

Over 100,000 Infected Repos Found on GitHub- Im concerned as i use obtainium as recommended

Related Topics