#开源项目
又一种很“新颖”的往开源项目里下毒的手法:有人对Python 包 ultralytics 发了 PR,其中包含如图分支名,当 GitHub 执行 CI 任务时,执行脚本获得仓库密钥,进而在发布包中植入加密货币挖矿程序
https://lwn.net/Articles/1001215/
BY codedump的电报频道
The campaign, which security firm Check Point has named Rampant Kitten, comprises two main components, one for Windows and the other for Android. Rampant Kitten’s objective is to steal Telegram messages, passwords, and two-factor authentication codes sent by SMS and then also take screenshots and record sounds within earshot of an infected phone, the researchers said in a post published on Friday.
To pay the bills, Mr. Durov is issuing investors $1 billion to $1.5 billion of company debt, with the promise of discounted equity if the company eventually goes public, the people briefed on the plans said. He has also announced plans to start selling ads in public Telegram channels as soon as later this year, as well as offering other premium services for businesses and users.
telegram from de