If you use Windows, please read this item! It describes a currently popular fake Windows Update exploit which is not being run from within the normal Windows Update found in the Settings app!
You may also want to share this with your less tech savy friends too!
Ernie
One had better learn how to use a VPN!!!
Better still don’t use windows
I’m getting there, even though I still have at least some control of my installation. Currently my greatest fear is that the next version of Windows will require a machine with hardware support for AI! When/if that happens, I’m ‘out of here!’ as far as being a Windows user is concerned. But until then, I’ll keep using it to experiment with, and figure out ways to retain as much control over my installation as I can!
Ernie
Not a option!!!
What protection do we have against fake linux updates?
I guess you have to make sure that you always use a valid mirror site … how do you do that?
Maybe the PGP keys help with this? Do all distros use keys?
Help, I am out of my depth with this.
Good question. I get a notification in the LM task bar when updates are available. Then using the GUI, I apply the upgrades. Of course I have also used the CLI to perform the upgrades. I would assume both procedures uses the mirrors we were talking about before.
Unlike the old TV series ‘The X Files’ and ‘Trust No One’, we have to trust someone.
AFAIK, this is mandatory. If someone allows an unsigned repo, it’s his own fault.
I had to sign my own repo as well. 
THanks for this Post … I have many member of my family working with Windows …
This attack is a variety of social engeneering. The same kind of stuff could happen with a given Linux distributions.
Thing is, Linux users tend to be more tech-savvy.
I know some of you don’t like to hear it, but this is, IMHO, a requirement.
As for Linux…
You can set up any repo you like, be it signed or unsigned.
I have my own repo, signed of course, just like @abu has…
If you add this repo to your system, and install a package from it,
you need to trust me I did not put a malware into that particular package.
My signature does not protect you from my bad attitude. It protects you only from a package somehow possibly injected into my repository without my signature.
If I’d be a bad guy, you would be my victim if you’d use packages from my repository any way.
The same applies to all PPA’s, you need to trust the owner of those if you use them.
If you have only the distros own repos enabled, nothing can be installed automatically, so I don’t see a chance to get a malware package from a 3rd party without your active cooperation.
I mean this for good well known distros,to make it clear: I think Debian, Suse, MX, Ubuntu repos will not contain malicious packages.
However, if you run such installs wich look like curl ..install.sh | bash those basically circumvent package manager, and in theory they could install a malware.
I don’t see this curl-piped-to-bash a good habit.
I see a bigger threat in popular browser extensions which may get hijacked.
Let’s say, you install adblocker-super-pro-plus-plus into your Firefox instance, and it works exceptionally well for years.
Trillions of people around the world install this extension, as they like it.
Now imagine, a bad guy offers a good visible amount of money for the developer of this extension which he/she can’t withstand.
The extension gets sold to the bad guy, from this point nothing can stop him/her to implement a malware in the next update, and within few days all browsers around the world will be infected.
And this is crossplatform, doesn’t even need specifically Linux/Windows…
What kind of protection gives a VPN against malicious sites???
Are there any users out here who run such a construct without reviewing the script in advance?
Hopefully no.
I’m not sure at all, TBH.
There are other apps apart from browsers that have plugins. I suppose if they are third party , they are a risk too.
Some languages, eg Python, Rust,Julia , install code in ways that bypass the package system. I dont like that.
So does Android not count as Linux?
No. I really don’t count it as Linux.
For one, you surf the web on a private ip address that disappears when the VPN is closed!!
I do, websites, that I know, like Its Foss, without VPN, but for anything else, even Microsoft, I will fire up my VPN, just another layer of protection for W11!!!