Props to the author of the malware — not for executing a supply chain attack, but for making malware that’s not obvious to detect when running. It snags only 1000 files in HOME, only those less than 100k, and then caps it off by uploading via DNS.
I hate to “give props” to the bad guy, but as a former pentester this area is fascinating. The cat and mouse game is eternal, and both sides evolve. This malware is pretty standard, but it’s also smart — you can tell it was developed by a dev to target devs.
Any progress on blocking exfiltration via DNS? It seems only malicious programs make heavy queries like this, and it should be detectable. Even a small ML network could probably be trained to tell the difference between legit queries and malware uploads.
If we are considering improvements, I would prioritize files differently. All .dotfiles in $HOME under the 100k threshold (which feels way too large to get generically useful secrets), but then I would try to be XDG compliant, so walk everything under .config/ looking for files under ~1kb (more likely to just hold credentials). Could be more targeted and look for specific shell folders (eg .config/fish) where aliases and other annoying to type data might live.
If using GitHub Actions for CI/ CD, Harden Runner (https://github.com/step-security/harden-runner) can be used to audit and block DNS exfiltration. Outbound calls from CI are predictable (to source repo, artifact registry, etc.) and don't change often.
I hate to “give props” to the bad guy, but as a former pentester this area is fascinating. The cat and mouse game is eternal, and both sides evolve. This malware is pretty standard, but it’s also smart — you can tell it was developed by a dev to target devs.
Any progress on blocking exfiltration via DNS? It seems only malicious programs make heavy queries like this, and it should be detectable. Even a small ML network could probably be trained to tell the difference between legit queries and malware uploads.