Skip Navigation
InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)EX
expertmadman @ expertmadman @sh.itjust.works
Posts
1
Comments
5
Joined
2 yr. ago

Why am I getting this unexpected arguments warning in python?

  • Pretty sure it’s a bug in pycharm.

    https://youtrack.jetbrains.com/issue/PY-28663

    • Proc macro sandboxing

  • we’re working on a third party solution for this. Should have some updates that sandbox cargo builds shortly.

    https://github.com/phylum-dev/birdcage

    It’s a cross-platform sandbox that works on Linux via Landlock and macOS via Seatbelt. We’ve rolled this into our CLI (https://github.com/phylum-dev/cli) so you can do thinks like: 

     undefined
            phylum

    For example for npm, which currently uses the sandbox: 

     undefined
            phylum npm install

    We’re adding this to cargo to similarly sandbox crate installations. Would love feedback and thoughts on our sandbox!

    • Rust Malware Staged on Crates.io

  • I'm one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub's recent security advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.

    I say all this to assure you we didn't write or release this malware. It just wouldn't make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.

    Our platform is free for developers and small teams (heck, I'll give anyone who asks for it a free pro account if you really need it). We've open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We're genuinely - really - trying to help make these ecosystems safer.

    • Malicious NPM packages attributed to North Korean state actors

  • They’re often supported by external resources, like China. There isn’t really a community inside of North Korea to draw from like you’d expect in some more established countries.

    In this case the attackers are targeting technologists and convincing them to collaborate on a git repository somewhere. That git repo includes dependencies that are hosted on npm, and require a specific order of installation to trigger the malicious behavior.

    When the unwitting dev installs thaw deps for the git reo, they receive the malicious payload as well.

    • netsec - Network Security @discuss.tchncs.de
    expertmadman @sh.itjust.works

    Malicious NPM packages attributed to North Korean state actors

    blog.phylum.io June’s Sophisticated npm Attack Attributed to North Korea

    In June 2023, Phylum was the first to unearth a series of suspicious npm publications belonging to what appeared to be a highly targeted attack. The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of...

    June’s Sophisticated npm Attack Attributed to North Korea

    To celebrate Slackware turning 30, I put on my 13.37 release t-shirt!

  • Slackware was my first Linux distro