User Beware: The Fine Line Between Content And Code

March 25, 2024 by Tom Nardi 29 Comments

Everyone loves themes. Doesn’t matter if it’s a text editor or a smart display in the kitchen, we want to be able to easily customize its look and feel to our liking. When setting up a new device or piece of software, playing around with the available themes may be one of the first things you do without giving it much thought. After all, it’s not like picking the wrong one is going to do something crazy like silently delete all the files on your computer, right?

Unfortunately, that’s exactly what happened a few days ago to [JeansenVaars] while trying out a Plasma Global Theme from the KDE Store. According to their Reddit post, shortly after installing the “Gray Layout” theme for the popular Linux graphical environment, the system started behaving oddly and then prompted for a root password. Realizing something didn’t seem right they declined, but at that point, it was already too late for all of the personal files in their home directory.

Continue reading “User Beware: The Fine Line Between Content And Code” →

The Dark Side Of Package Repositories: Ownership Drama And Malware

September 8, 2021 by Maya Posch 77 Comments

At their core, package repositories sound like a dream: with a simple command one gains access to countless pieces of software, libraries and more to make using an operating system or developing software a snap. Yet the rather obvious flip side to this is that someone has to maintain all of these packages, and those who make use of the repository have to put their faith in that whatever their package manager fetches from the repository is what they intended to obtain.

How ownership of a package in such a repository is managed depends on the specific software repository, with the especially well-known JavaScript repository NPM having suffered regular PR disasters on account of it playing things loose and fast with package ownership. Quite recently an auto-transfer of ownership feature of NPM was quietly taken out back and erased after Andrew Sampson had a run-in with it painfully backfiring.

In short, who can tell when a package is truly ‘abandoned’, guarantee that a package is free from malware, and how does one begin to provide insurance against a package being pulled and half the internet collapsing along with it?

Continue reading “The Dark Side Of Package Repositories: Ownership Drama And Malware” →

Hackaday

software repositories

2 Articles

User Beware: The Fine Line Between Content And Code

The Dark Side Of Package Repositories: Ownership Drama And Malware

Search

Never miss a hack

If you missed it

I Want To Believe: How To Make Technology Value Judgements

The Life Cycle Of Nuclear Fission Fuel: From Stars To Burn-Up

A Teletype By Any Other Name: The Early E-mail And Wordprocessor

Ubiquitous Successful Bus: Version 3

The Rogue Emperor, And What To Do About Them

Our Columns

Hackers, Patents, And 3D Printing

Hackaday Podcast Episode 296: Supercon Wrapup With Tom And Al, The 3DP Brick Layering Controversy, And How To Weld In Space

This Week In Security: Hardware Attacks, IoT Security, And More

Microfluidic Motors Could Work Really Well For Tiny Scale Tasks

Retrotechtacular: The TV Bombs Of WWII

Search

Never miss a hack

Subscribe

If you missed it

Our Columns