bat 0.22.1 installs crypto miner monero.rb

[mgpcoe]

What steps will reproduce the bug?

1. Install/upgrade to latest

What happens?

Up-to-date malware scanners detect and isolate monero.rb.

What did you expect to happen instead?

Not to have such a useful tool act as a Trojan horse for a crypto miner.

How did you install bat?

homebrew

---

Cause seems pretty obvious -- there doesn't appear to be any dependency version pinning on 0.22.1, so any of bat's dependencies, or their unpinned dependencies, could easily introduce this problem. Please be sure to always pin your dependency versions.

[Enselic]

Thank you for reporting.

To install "blessed" dependencies, you need to pass --locked to cargo install. This is by some (me included) considered a bad default behaviour in cargo. This is tracked in https://github.com/rust-lang/cargo/issues/7169

The installation instructions in our README is using --locked in the instructions to install from source.

Regarding the malware, do you know if this has been reported to homebrew? Does your anti-virus software also detect malware if you install with cargo install --locked bat? Would be great if you could try other installations methods. If we can isolate this to only affect homebrew, that would be very good to know.

[Enselic]

@mgpcoe I can't reproduce this with virustotal.com and Linux. Neither with nor without --locked. Does virustotal.com complain about the binary you have?

Here are the results of both builds:

• without --locked: https://www.virustotal.com/gui/file/461de503a9e4001d342e30f2a01aaa11391496f9d8ec766d1f0b21403039fcc5
• with --locked: https://www.virustotal.com/gui/file/8e9c6fde8c45810f242866b3eb91790a83eb60e701076bd1907f70c108d77dbd

Here are my commands

Click me

``` % cargo install --locked bat Updating crates.io index Downloaded bat v0.22.1 Downloaded 1 crate (1.6 MB) in 0.62s Installing bat v0.22.1 Compiling libc v0.2.125 Compiling proc-macro2 v1.0.39 Compiling unicode-ident v1.0.0 Compiling syn v1.0.95 Compiling autocfg v1.0.1 Compiling pkg-config v0.3.24 Compiling serde_derive v1.0.144 Compiling cfg-if v1.0.0 Compiling memchr v2.4.1 Compiling serde v1.0.144 Compiling encoding_index_tests v0.1.4 Compiling tinyvec_macros v0.1.0 Compiling proc-macro-hack v0.5.19 Compiling hashbrown v0.11.2 Compiling lazy_static v1.4.0 Compiling log v0.4.14 Compiling os_str_bytes v6.3.0 Compiling bitflags v1.3.2 Compiling matches v0.1.9 Compiling regex-syntax v0.6.27 Compiling crc32fast v1.3.0 Compiling same-file v1.0.6 Compiling safemem v0.3.3 Compiling once_cell v1.13.1 Compiling termcolor v1.1.2 Compiling serde_json v1.0.74 Compiling percent-encoding v2.1.0 Compiling ryu v1.0.9 Compiling adler v1.0.2 Compiling regex-automata v0.1.10 Compiling linked-hash-map v0.5.4 Compiling unicode-bidi v0.3.7 Compiling strsim v0.10.0 Compiling fnv v1.0.7 Compiling itoa v0.4.8 Compiling base64 v0.13.0 Compiling bugreport v0.5.0 Compiling bytemuck v1.7.3 Compiling semver v1.0.13 Compiling xml-rs v0.8.4 Compiling itoa v1.0.1 Compiling shell-escape v0.1.5 Compiling std_prelude v0.2.12 Compiling unicode-width v0.1.9 Compiling bytesize v1.1.0 Compiling shell-words v1.1.0 Compiling ansi_term v0.12.1 Compiling wild v2.1.0 Compiling encoding-index-korean v1.20141219.5 Compiling encoding-index-tradchinese v1.20141219.5 Compiling encoding-index-singlebyte v1.20141219.5 Compiling encoding-index-japanese v1.20141219.5 Compiling encoding-index-simpchinese v1.20141219.5 Compiling tinyvec v1.5.1 Compiling miniz_oxide v0.5.1 Compiling line-wrap v0.1.1 Compiling form_urlencoded v1.0.1 Compiling walkdir v2.3.2 Compiling clap_lex v0.2.4 Compiling yaml-rust v0.4.5 Compiling rgb v0.8.31 Compiling path_abs v0.5.1 Compiling indexmap v1.7.0 Compiling encoding v0.2.33 Compiling ansi_colours v1.1.1 Compiling flate2 v1.0.24 Compiling quote v1.0.14 Compiling aho-corasick v0.7.18 Compiling bstr v0.2.17 Compiling content_inspector v0.2.4 Compiling terminal_size v0.1.17 Compiling atty v0.2.14 Compiling time v0.3.5 Compiling dirs-sys-next v0.1.2 Compiling textwrap v0.15.0 Compiling console v0.15.1 Compiling dirs-next v2.0.0 Compiling unicode-normalization v0.1.19 Compiling jobserver v0.1.24 Compiling clap v3.2.20 Compiling cc v1.0.72 Compiling regex v1.6.0 Compiling idna v0.2.3 Compiling libz-sys v1.1.3 Compiling onig_sys v69.7.1 Compiling sys-info v0.9.1 Compiling libgit2-sys v0.14.0+1.5.0 Compiling url v2.2.2 Compiling globset v0.4.9 Compiling grep-cli v0.1.6 Compiling git-version-macro v0.3.5 Compiling thiserror-impl v1.0.33 Compiling git-version v0.3.5 Compiling onig v6.3.1 Compiling bat v0.22.1 Compiling thiserror v1.0.33 Compiling git2 v0.15.0 Compiling plist v1.3.1 Compiling bincode v1.3.3 Compiling clircle v0.3.0 Compiling serde_yaml v0.8.24 Compiling syntect v5.0.0 Finished release [optimized] target(s) in 1m 27s Replacing /home/martin/.cargo/bin/bat Replaced package `bat v0.21.0 (/home/martin/src/bat)` with `bat v0.22.1` (executable `bat`) % cp /home/martin/.cargo/bin/bat /home/martin/.cargo/bin/bat-v0.21.1-locked % cargo install bat --force Updating crates.io index Installing bat v0.22.1 Downloaded form_urlencoded v1.1.0 Downloaded idna v0.3.0 Downloaded percent-encoding v2.2.0 Downloaded textwrap v0.16.0 Downloaded url v2.3.1 Downloaded terminal_size v0.2.2 Downloaded io-lifetimes v0.7.5 Downloaded cc v1.0.76 Downloaded base64 v0.13.1 Downloaded rgb v0.8.34 Downloaded jobserver v0.1.25 Downloaded bytemuck v1.12.3 Downloaded rustix v0.35.13 Downloaded time-core v0.1.0 Downloaded regex v1.7.0 Downloaded time-macros v0.2.6 Downloaded pkg-config v0.3.26 Downloaded os_str_bytes v6.4.0 Downloaded regex-syntax v0.6.28 Downloaded miniz_oxide v0.5.4 Downloaded libc v0.2.137 Downloaded time v0.3.17 Downloaded once_cell v1.16.0 Downloaded clap v3.2.23 Downloaded 24 crates (2.5 MB) in 0.59s Compiling libc v0.2.137 Compiling proc-macro2 v1.0.47 Compiling quote v1.0.21 Compiling unicode-ident v1.0.5 Compiling syn v1.0.103 Compiling io-lifetimes v0.7.5 Compiling pkg-config v0.3.26 Compiling autocfg v1.1.0 Compiling rustix v0.35.13 Compiling cfg-if v1.0.0 Compiling serde_derive v1.0.147 Compiling memchr v2.5.0 Compiling serde v1.0.147 Compiling bitflags v1.3.2 Compiling linux-raw-sys v0.0.46 Compiling encoding_index_tests v0.1.4 Compiling tinyvec_macros v0.1.0 Compiling log v0.4.17 Compiling hashbrown v0.12.3 Compiling proc-macro-hack v0.5.19 Compiling lazy_static v1.4.0 Compiling os_str_bytes v6.4.0 Compiling crc32fast v1.3.2 Compiling itoa v1.0.4 Compiling regex-syntax v0.6.28 Compiling linked-hash-map v0.5.6 Compiling termcolor v1.1.3 Compiling same-file v1.0.6 Compiling unicode-bidi v0.3.8 Compiling thiserror v1.0.37 Compiling once_cell v1.16.0 Compiling safemem v0.3.3 Compiling time-core v0.1.0 Compiling serde_json v1.0.87 Compiling strsim v0.10.0 Compiling regex-automata v0.1.10 Compiling percent-encoding v2.2.0 Compiling ryu v1.0.11 Compiling adler v1.0.2 Compiling fnv v1.0.7 Compiling bugreport v0.5.0 Compiling bytemuck v1.12.3 Compiling semver v1.0.14 Compiling base64 v0.13.1 Compiling xml-rs v0.8.4 Compiling shell-escape v0.1.5 Compiling unicode-width v0.1.10 Compiling std_prelude v0.2.12 Compiling ansi_term v0.12.1 Compiling shell-words v1.1.0 Compiling bytesize v1.1.0 Compiling wild v2.1.0 Compiling encoding-index-tradchinese v1.20141219.5 Compiling encoding-index-singlebyte v1.20141219.5 Compiling encoding-index-korean v1.20141219.5 Compiling encoding-index-japanese v1.20141219.5 Compiling encoding-index-simpchinese v1.20141219.5 Compiling tinyvec v1.6.0 Compiling walkdir v2.3.2 Compiling line-wrap v0.1.1 Compiling time v0.3.17 Compiling yaml-rust v0.4.5 Compiling clap_lex v0.2.4 Compiling form_urlencoded v1.1.0 Compiling miniz_oxide v0.5.4 Compiling indexmap v1.9.1 Compiling path_abs v0.5.1 Compiling rgb v0.8.34 Compiling encoding v0.2.33 Compiling ansi_colours v1.1.1 Compiling flate2 v1.0.24 Compiling aho-corasick v0.7.19 Compiling bstr v0.2.17 Compiling content_inspector v0.2.4 Compiling unicode-normalization v0.1.22 Compiling idna v0.3.0 Compiling regex v1.7.0 Compiling atty v0.2.14 Compiling terminal_size v0.1.17 Compiling dirs-sys-next v0.1.2 Compiling console v0.15.2 Compiling dirs-next v2.0.0 Compiling jobserver v0.1.25 Compiling url v2.3.1 Compiling cc v1.0.76 Compiling globset v0.4.9 Compiling grep-cli v0.1.6 Compiling libz-sys v1.1.8 Compiling onig_sys v69.8.1 Compiling sys-info v0.9.1 Compiling libgit2-sys v0.14.0+1.5.0 Compiling terminal_size v0.2.2 Compiling thiserror-impl v1.0.37 Compiling git-version-macro v0.3.5 Compiling textwrap v0.16.0 Compiling clap v3.2.23 Compiling git-version v0.3.5 Compiling onig v6.4.0 Compiling bat v0.22.1 Compiling git2 v0.15.0 Compiling plist v1.3.1 Compiling bincode v1.3.3 Compiling clircle v0.3.0 Compiling serde_yaml v0.8.26 Compiling syntect v5.0.0 Finished release [optimized] target(s) in 37.09s Replacing /home/martin/.cargo/bin/bat Replaced package `bat v0.22.1` with `bat v0.22.1` (executable `bat`) % cp /home/martin/.cargo/bin/bat /home/martin/.cargo/bin/bat-v0.21.1 % sha256sum /home/martin/.cargo/bin/bat-v0.21.1* 461de503a9e4001d342e30f2a01aaa11391496f9d8ec766d1f0b21403039fcc5 /home/martin/.cargo/bin/bat-v0.21.1 8e9c6fde8c45810f242866b3eb91790a83eb60e701076bd1907f70c108d77dbd /home/martin/.cargo/bin/bat-v0.21.1-locked ```

Edit: I can't reproduce with cargo install bat on Mac either: https://www.virustotal.com/gui/file/be9fae824f2295fc8c6a3fc5001f0c1115c0325e52b6d798aa3bd851defb577e

[Enselic]

I don't see a reason to keep this issue open any longer. Closing.