Skip to content

Possiable supply chain attack #1441

New issue
New issue
Closed
Closed
Possiable supply chain attack#1441
Labels
stale
@greensea

Description

@greensea
greensea
opened on Sep 11, 2024

I found a repo at https://github.com/siruspen/logrus. The repo have very similar name.

For now this repo does nothing evil, but imagine the sitiation:

  1. Bob want to import github.com/sirupsen/logrus (this repo), but he made an typo, he just import github.com/siruspen/logrus (the forked repo).
  2. Currently this two repo doing almost the same thing, so Bob didn't notice he just import the different repo.
  3. The forked repo add some evil code
  4. Bob do go get -u to do vender version upgrade
  5. Bob get evil code into his projecat

I strongly add WARNING or NOTICE in README.md, warn people there is a similar repo, keep an eye when import logrus.

I just found most of my project imported the forked repo, what a bad day to me.

Metadata

Metadata

Assignees

No one assigned

    Labels

    stale

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions