MALWARE #2031

New issue

Closed

opened 2024-05-05 17:05:10 +00:00 by daniel19256 · 6 comments

daniel19256 commented 2024-05-05 17:05:10 +00:00 (Migrated from github.com)

Copy link

Installs a chrome add-on that can't be removed via conventional means (added by your "administrator") in attempts to steal data. The add-on had access to valuable data such as financial information and I would not have realised if it wasn't for the person who made this not realising that it changes your search engine to bing. Please educate me on how to report a github project.

Installs a chrome add-on that can't be removed via conventional means (added by your "administrator") in attempts to steal data. The add-on had access to valuable data such as financial information and I would not have realised if it wasn't for the person who made this not realising that it changes your search engine to bing. Please educate me on how to report a github project.

arjix commented 2024-05-05 17:40:36 +00:00

Owner

Copy link

what? (excuse my baffled response)

I am one of the contributors and I can assure you there is no malware in our code.
But I am going to give you the benefit of the doubt, since it is possible that an npm dependency is infected, or that the automated pipeline for the releases is infected (?).

But, even with those possibilities in mind, correlation does not imply causation, so w/o further information I can't do much.
How are you 100% sure that th-ch/youtube-music is responsible for the chrome extension being installed?
And did you test this in a sandboxed environment to reach such a conclusion?

what? (excuse my baffled response) I am one of the contributors and I can assure you there is no malware in our code. But I am going to give you the benefit of the doubt, since it is possible that an npm dependency is infected, or that the automated pipeline for the releases is infected (?). But, even with those possibilities in mind, correlation does not imply causation, so w/o further information I can't do much. How are you 100% sure that `th-ch/youtube-music` is responsible for the chrome extension being installed? And did you test this in a sandboxed environment to reach such a conclusion?

arjix commented 2024-05-05 17:51:05 +00:00

Owner

Copy link

And also, where did you download th-ch/youtube-music from?
It is quite usual for people to create fake websites that claim to be the official website of the project, and provide a virus instead.

The only official website for this project is https://th-ch.github.io/youtube-music, any other site that claims to be official is lying to you.

And also, where did you download `th-ch/youtube-music` from? It is quite usual for people to create fake websites that claim to be the official website of the project, and provide a virus instead. The only official website for this project is https://th-ch.github.io/youtube-music, any other site that claims to be official is lying to you.

arjix commented 2024-05-05 17:52:18 +00:00

Owner

Copy link

PS: If you don't mind, can you share the exe you used to install th-ch/youtube-music?
I'd like to give it a look myself

PS: If you don't mind, can you share the exe you used to install `th-ch/youtube-music`? I'd like to give it a look myself

arjix commented 2024-05-05 18:02:21 +00:00

Owner

Copy link

PS2:

It is highly likely that you are talking about a similar project Youtube Music Desktop which was taken down from github because one of the maintainers got their account compromised.

Here is a statement from one of their maintainers, Alipoodle.
And here was their repository before it got deleted.

Chances are, you downloaded the infected release from that project.

PS2: It is highly likely that you are talking about a similar project [`Youtube Music Desktop`](https://ytmdesktop.app/) which was taken down from github because one of the maintainers got their account compromised. [Here](https://github.com/th-ch/youtube-music/issues/1893#issuecomment-2022857406) is a statement from one of their maintainers, [Alipoodle](https://github.com/Alipoodle). And [here](https://web.archive.org/web/20240221225001/https://github.com/ytmdesktop/ytmdesktop) was their repository before it got deleted. Chances are, you downloaded the infected release from that project.

arjix commented 2024-05-05 18:05:43 +00:00

Owner

Copy link

@Alipoodle

Are you aware if that infected release forcibly installed a chrome extension to steal user data?
Although, that doesn't really sound like a great move, since one can steal data w/o a chrome extension...so I am having my doubts

Also, I see you still haven't got the org and repos back 😔

@Alipoodle Are you aware if that infected release forcibly installed a chrome extension to steal user data? Although, that doesn't really sound like a great move, since one can steal data w/o a chrome extension...so I am having my doubts Also, I see you still haven't got the org and repos back 😔

Alipoodle commented 2024-05-05 18:20:00 +00:00 (Migrated from github.com)

Copy link

Regarding the issue for YTM Desktop (ytmdesktop/ytmdesktop and not this project)
We can't sadly provide much information regarding the actual executable which was given as a replacement during the 7 possible hours of it being live... 😅

The information regarding it, and the 3 accounts we found associated with it all (Adler, and 2x accounts used for hosting said viruses) were all taken down prior to any of us having noticed. The project was as well taken down in this sweep.

We have obviously only just recently provided new versions of our one on a Fork, and until now we've specifically said we aren't providing a download except from KNOWN sources (GitHub from the org) and have been VERY clear with the Fork one about GPG signing and the GH Actions making the release.

Regarding the issue for YTM Desktop (ytmdesktop/ytmdesktop and not this project) We can't sadly provide much information regarding the actual executable which was given as a replacement during the 7 *possible* hours of it being live... 😅 The information regarding it, and the 3 accounts we found associated with it all (Adler, and 2x accounts used for hosting said viruses) were all taken down prior to any of us having noticed. The project was as well taken down in this sweep. We have obviously only just recently provided new versions of our one on a Fork, and until now we've specifically said we aren't providing a download except from KNOWN sources (GitHub from the org) and have been VERY clear with the Fork one about GPG signing and the GH Actions making the release.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/electron-38.x

renovate/zod-4.x

renovate/hono-node-server-1.x

renovate/vite-7.x

renovate/discord-api-types-0.x

snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd

renovate/youtubei.js-15.x

renovate/virtua-0.x

renovate/npm-hono-vulnerability

dependabot/npm_and_yarn/hono-4.9.7

renovate/ffmpeg.wasm-main-0.x

renovate/ffmpeg.wasm-core-mt-0.x

snyk-fix-b03d669b0e10f74efab60edd2a874685

refactor/music-together

feat/webnowplaying-v1

feat/chromecast

legacy/http-api

v3.11.0

v3.10.0

v3.9.0

v3.8.1

v3.8.0

v3.7.5

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.12

v3.3.11

v3.3.10

v3.3.9

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.2

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.2

v3.0.1

v3.0.0

v2.2.0

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.20.0

v1.19.0

v1.18.0

v1.17.0

v1.16.0

v1.15.0

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.2

v1.8.1

v1.8.0

v1.7.5

v1.7.3

v1.7.4

v1.7.2

v1.7.1

v1.7.0

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.0

v1.5.0

v1.4.0

v1.3.3

v1.3.2

v1.3.1

v1.2.0

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.0.0

v1.1.0

Labels

Clear labels   

awaiting-reply

Awaiting reply

  

breaking changes

  

bug

Something isn't working

  

cannot-reproduce

Bug cannot be reproduced

  

dependencies

Pull requests that update a dependency file

  

documentation

  

duplicate

This issue or pull request already exists

  

electron-issue

It's an Electron or Electron related dependencies issue (not YTM-Desktop issue)

  

enhancement

New feature or request

  

fix-available

A fix to the issue is available in a new version

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update javascript code

  

need more information

Need more information about the issue

  

need rebase

This plugin need rebase

  

official-youtube-music-issue

It's an YouTube's issue (not YTM-Desktop issue)

  

plugin request

An issue/discussion requesting for a new plugin or new functionality to an existing plugin.

  

question

Further information is requested

  

release

Release

  

security

  

stale

  

Status: blocked

There are something to do before this

  

typo

  

wontfix

This will not be worked on

  

ytmd-issue

An issue/discussion about ytm desktop, unrelated to th-ch/youtube-music

No labels

awaiting-reply

breaking changes

bug

cannot-reproduce

dependencies

documentation

duplicate

electron-issue

enhancement

fix-available

good first issue

help wanted

invalid

javascript

need more information

need rebase

official-youtube-music-issue

plugin request

question

release

security

stale

Status: blocked

typo

wontfix

ytmd-issue

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: YTMD/youtube-music#2031

No description provided.