-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DO NOT TRUST THIS AUTHOR -- HIS CODE MAY BE BACKDOORED #53
Comments
Check this obfuscated code in the shell
|
It is not even close to https://raw.githubusercontent.com/jashkenas/underscore/master/underscore.js |
Sure about that? can be a old version of underscore but minified (that can explain the differences between the actual), is weird to have a minified version of javascript library in a shell program but also is not can't be used |
Code should be readable so people can understand it. Otherwise it will not be well reviewed and audited. Dropping malware into a "compressed and obfuscated and minified payload" is exactly the place a malicious author or attacker would hide their bad stuff. Importing a known library is fine if it is readable. The original underscore.js is in plaintext and readable. This is not acceptable for a project to include obfuscated code in an open source project. My suggestion is to reference the resource from a trusted, verified upstream source and then pull it in as a dependency like any other package subsystem would. And provide the installing user an option to minify it or keep it in original form so they may audit it as well. That way you know you have the right code and it is not duplicated across projects nor backdoored. As it stands right now, no one has audited that code and 1000's of users have starred this project, making it a prime target. We already know he developers email was probably hacked. |
@9Yg1rxeSeha90ZU1 I prettified the string you supplied as well as the minified 1.8.2 version of underscore.js, then diffed the two. They are exactly the same. Hopefully this should make everyone feel a little easier about this particular attack vector. I posted the files if you want to check me. This activity is an extremely painful way to learn the internals of Underscore and the methods exposed. |
He's a hacker! Flee to flight |
I am getting these messages after my gmail, contacts, photos and everything that is on my computer including my banking information. This person is an has caused me havoc with not receiving my gmails from the University, my family, businesses. Please help |
DO NOT TRUST THIS AUTHOR -- HIS CODE MAY BE BACKDOORED
The text was updated successfully, but these errors were encountered: