Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. We have updated the language to the Editor Terms based on feedback from our employees and community. Learn more.
    Dismiss Notice

Bizarre ocurrence with UnityHub 3.1.0

Discussion in 'Unity Hub' started by flecona, Mar 16, 2022.

  1. flecona

    flecona

    Joined:
    Jun 11, 2018
    Posts:
    10
    I just updated my UnityHub to version 3.1.0 and upon restarting the application a text file was created on my desktop called "WITH-LOVE-FROM-AMERICA.txt", the file is empty. Is this something I should worry about?

    I tried Googling and searching in the forums but I haven't found any information about this.
     
    GamesEngineer and FamishedMammal like this.
  2. mgear

    mgear

    Joined:
    Aug 3, 2010
    Posts:
    9,058
    GamesEngineer likes this.
  3. flecona

    flecona

    Joined:
    Jun 11, 2018
    Posts:
    10
    I see now it seems harmless but was this something unknowingly or knowingly included in UnityHub? the first thing I feared was an attack. Did not need that.
     
  4. mgear

    mgear

    Joined:
    Aug 3, 2010
    Posts:
    9,058
    GamesEngineer and flecona like this.
  5. xeleh

    xeleh

    Joined:
    Jul 22, 2016
    Posts:
    302
  6. xeleh

    xeleh

    Joined:
    Jul 22, 2016
    Posts:
    302
    Ok, just found that the auto update can be disabled. All you need to do:
    1. Install your previous unity Hub version.
    2. Locate and edit the app-update.yml file (just leave the url: value empty):
    provider: generic
    url:
    updaterCacheDirName: unityhub-updater
     
    horeaper, Hurri04, SpockBauru and 2 others like this.
  7. flecona

    flecona

    Joined:
    Jun 11, 2018
    Posts:
    10
    Thanks! this is much better than suggesting to all my co-workers to stop using Unity Hub for a while
     
  8. SpockBauru

    SpockBauru

    Joined:
    Apr 12, 2021
    Posts:
    23
    Thank you! Unity Hub is being a real pain since it auto updated to 3.0. No more auto updates for me!
     
  9. The_Dark_Swordsman

    The_Dark_Swordsman

    Joined:
    May 16, 2020
    Posts:
    6
    Hey, just wanted to note that it actually was intended to be malicious for people living in certain countries. Though, it is entirely possible that the location check could be incorrect and affect people outside those countries.

    Here is the github issue that shows the code, where it would re-write files on your system with hearts, effectively destroying the system and any attached drives. This would have been detrimental to anyone that doesn't practice secure backups. https://github.com/RIAEvangelist/node-ipc/issues/233

    Also, here is the NIST entry where it's listed as a critical security vulnerability and as malware. https://nvd.nist.gov/vuln/detail/CVE-2022-23812

    Thankfully it's solved now, and it actually shouldn't have worked due to a rejected API key for location checking, but the code still existed in the Unity Hub and could have been triggered if that package was updated and included in Unity Hub.
     
  10. jjejj87

    jjejj87

    Joined:
    Feb 2, 2013
    Posts:
    1,110
    Thanks for the detailed info. Much appreciated
     
  11. petey

    petey

    Joined:
    May 20, 2009
    Posts:
    1,773
    So if it was installed, would it have erased everything with hearts by now? Or could that just kick around and happen randomly.
     
  12. SpockBauru

    SpockBauru

    Joined:
    Apr 12, 2021
    Posts:
    23
    The malicious part that does something with the Russian IPs was blocked by the node-ipc developers a way before Unity received the package. Just the joke file passed to Unity Hub. It's harmless but serves as an alert to the team about the trust of their code suppliers.

    For our side as Unity users, it does nothing but include that file in the desktop, no need to panic.
     
  13. petey

    petey

    Joined:
    May 20, 2009
    Posts:
    1,773
    Oh thanks! @SpockBauru
    Well it sparked me to double check all of my backup systems, so that's probably a good thing.
    So if I use the code above to stop the Hub auto updating, how would you go about updating it in future?
     
  14. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,009
    Apart from completely eroding any trust I had for Unity software to be safe and secure. To learn they don't even audit the code dependencies they include in their software is a nasty wake up call. All things considered it seems Unity were lucky this time. However it appears as though no-one actually knows if there could be anything malicious in the third party code dependencies they are using for the Hub, as they never audited them in the first place.

    You say the malicious code was blocked by the node-ipc developers, yet I've seen some reports of the code having entered the wild. However I cannot validate those reports so I'm willing to be sceptical of them. Can you provide a link to any information that the code never made it out and into other software? It would certainly go a long way to restore some faith in the nodejs system.
     
    EvOne and BackgroundMover like this.
  15. SpockBauru

    SpockBauru

    Joined:
    Apr 12, 2021
    Posts:
    23
    I can only talk about unity hub client that I received on my PC, there's an official statement about it: https://forum.unity.com/threads/1254597/

    About other software, is impossible to know.

    About nodejs system, is not safe, there's no faith to put on it, and thousands of companies should stop using it immediately.

    A while ago the libraries "faker" and "colors" were sabotaged by its own owner:
    https://www.bleepingcomputer.com/ne...-colors-and-faker-breaking-thousands-of-apps/

    Now is the node-ipc:
    https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

    Edit: At the end of last year, two libraries were hijacked:
    https://www.bleepingcomputer.com/ne...npm-library-hijacked-to-steal-user-passwords/

    https://www.bleepingcomputer.com/ne...hijacked-to-install-password-stealers-miners/

    It really shows how vulnerable all the supply chain is.
     
    Last edited: Mar 18, 2022
    Metalsoul and stefan_s_from_h like this.