this post was submitted on 14 Dec 2023
116 points (98.3% liked)

Programming

17024 readers
306 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
116
SSH keys stolen by stream of malicious PyPI and npm packages (www.bleepingcomputer.com)
submitted 9 months ago by mac@programming.dev to c/programming@programming.dev
10 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] ShaunaTheDead@kbin.social 3 points 9 months ago (1 children)

Do you think using a custom ssh key directory would prevent these malicious apps from working correctly or is there some environment variable that always points to the ssh key folder or I guess they could just run a search on the system for any files like *.pub. Are there any safety procedures that one can take to circumvent these kinds of attacks?

[โ€“] lemann@lemmy.one 1 points 9 months ago

I think so, assuming these malicious packages are all primitive enough to just look for the single file in a user's home folder lol. The only downside here is needing to provide the keyfile location to ssh every time you want to connect... Although a system search would pretty much defeat that instantly as you mention

SSH keyfiles can be encrypted, which requires a password entry each time you connect to a SSH server. Most linux distros that I've used automatically decrypt the SSH keyfile for you when you log in to a remote machine (using the user keyring db), or ask you for the keyfile password once and remember it for the next hour or so (using the ssh-agent program in the background).

On Windows you can do something similar with Cygwin and ssh-agent, however it is a little bit of a hassle to set up. If you use WSL i'd expect the auto keyfile decryption to work comparably to Linux, without needing to configure anything