com.unity.mathematics flagged as containing malicious code

Yesterday I got a notification from github dependabot about my public repo because of an security alert.
https://github.com/NoArtistAvailable/elzach-leveleditor/security/dependabot/1

Seems like com.unity.mathematics was removed from npm due to security issues?
https://www.npmjs.com/package/com.unity.mathematics

Was just curious if anyone knows, what's going on.

 

@LeonhardP this might be security-related

 

May I request you keep us updated in this thread or a new sticky.

I've seen another report for the same issue regarding unity.postprocessing package, and others, so clearly this seems to be a wide ranging, possibly all Unity packages issue, at least with regards to github. Hopefully its just a false flag that Unity needs to get github to address, but if not then it might be something far more serious.

Either way I feel after the recent issue with the Unity Hub and NPM we deserve to get some meaningful feedback on what has happened once Unity has investigated and sooner rather than later.

Thanks

Edit: mOnsky seems to have more details of the problem, that suggests its a false flag due to someone 'impersonating' unity package names and thus getting them flagged. Obviously needs further investigation but might be a useful starting point.

 

Not knowing there was a specific package manager sub forum, I've posted some additional information over here that might be useful.

 

Hello! As @Tautvydas-Zilys mentioned, we have become aware of some instances of rogue community packages with malicious payloads appearing on npm (known as a ‘dependency confusion attack’, which you can read more about here if you’re interested). It is important to note that these are not official Unity packages, rather packages from other developers in the community that we’ve identified as being positioned as legitimate packages from Unity in hopes of tricking users into installing them.

At this time, our security response team is working with npm to have these malicious packages removed. Npm has also been proactive in removing the malicious packages that they have identified. We have also become aware of some dependency checker tools (such as Github’s tool and Snyk), that are identifying false positives, and are working to get those fixed.


We recommend that users always verify the source of any third-party or community-made packages before installing, and to exercise caution with any third-party packages. We also recommend that you pin official Unity versions of packages to ensure you are always getting updates from official sources.


We will update this thread when we have more information. Thank you!

 

There's still new ones happening - are there plans to work with npm/GitHub to resolve this? Seems to be getting more, not less.
E.g. https://github.com/needle-tools/needle-context-menu/security/dependabot/1

 

We noticed something strange in our executable. Could be nothing but could be related. The "Input_CUSTOM_GetKeyDownInt" method was throwing an exception. The reason this seems strange is that I wouldn't expect a built-in unity method name to contain "CUSTOM" text. Is this normal or does this seem suspicious?