
Bitcoin stealer infected 700 libraries of major programming language - woliveirajr
https://decrypt.co/26025/rubygems-bitcoin-stealing-software-reversinglabs
======
dang
[https://news.ycombinator.com/item?id=22906455](https://news.ycombinator.com/item?id=22906455)

------
tgsovlerkhgsel
Ruby. "Ruby" is the word that this source intentionally hid from the headline
to make people click.

~~~
dvfjsdhgfv
I hope this can still be edited on HN to save people a click.

------
wyager
All of these attacks on language supply chains have me increasingly convinced
that, at the very least, some sort of lightweight formal verification that
"this package isn't doing anything obviously sketchy" is necessary. One
promising avenue for this is something like Safe Haskell (
[https://downloads.haskell.org/~ghc/7.8.4/docs/html/users_gui...](https://downloads.haskell.org/~ghc/7.8.4/docs/html/users_guide/safe-
haskell.html) ), which proves during compilation that a library function like

    
    
        sign :: Privkey -> Message -> Signature
    

can't steal your private key and ship it off to some scammer. (Because sending
your private key to a scammer requires network IO, and the type of this
function implies it doesn't do network IO, and Safe Haskell guarantees that it
doesn't use any "backdoors" to do IO.) It's not perfect, but it's a pretty
good start in the right direction.

~~~
lokedhs
Qubes OS is the only solution that I know of that solves these issues right
now.

It's a pity that using it forces you to not use your GPU, which is a blocker
for many use-cases. I'm a huge fan of Qubes OS but I still don't use it on my
main workstation at home for that reason (I do use it at work).

------
fakeSocialMedia
How is copying clipboard better than a keylogger?

Why would they choose that?

~~~
ceejayoz
Virtually no one manually types in a wallet address. You copy/paste it.

> Once inside, the malware executed a malicious script that starts an infinite
> loop to capture a user’s clipboard data—with the goal of redirecting all
> potential cryptocurrency transactions to their wallet address.

Sounds like they were replacing the pasted addresses with their own when you
paste it in the "transfer currency to..." fields.

~~~
meowface
It's a clever idea, but it seems weird to me they'd do _just_ that and not
also try to steal the wallet.dat.

