ghrc.io Appears to be Malicious

I tried adding some filters, all I can say is: oof ouch owie

IMO the biggest mistake is a UI that encourages a user to type a domain (or package) name by hand. I realise that’s tough when you need to be able to log in to arbitrary container registries but options exist… There’s the carrot approach like crates.io which gives you copy-paste blocks for whatever you were about to type. Or you could get out the stick and turn the config into a multi-field JSON blob that a user is going to avoid typing if they possibly can.

Or maybe it would have been reasonable to not use an arbitrary acronym for something people usually type/paste once into a config and not type in their browser. ghcr.github.io or whatever.

I don’t think domain name sellers really have much visibility into “this site is accessed a lot”, do they? Especially at time of purchase.

As to the first one… it does feel like Github could have bought up all 16 permutations. It would be nice if there were some other mitigations available though.

The way domain purchases really seem to be a bit incontestable from the “this is clearly not a legit use, right?” perspective is annoying. I don’t know what that looks like but it sucks!

And what about existing domains? Could GitHub ask to take it down by claiming it is a phishing site?

ghcr.io is the original, it stands for GitHub Container Registry

ghrc[.]io is the malicious one

Sounds like authentication should be done with a DH system that incorporates the recipient domain, rather than static tokens.

It remains amazing to me that this is a safety critical infrastructure that is still fundamentally built around what are basically passwords.

Also make sure you don’t log into ghci.io, since that seems to returns HTTP 200 for every path.

It’s the command for the interactive Glasgow Haskell Compiler, the REPL. So there’s an interaction with muscle memory.

virtualization?