Other Hub Hacked?

Updated just now and got a random text file on my desktop called WITH-LOVE-FROM-AMERICA.txt

 

This happened to me as well. From what I can piece together, it seems like it comes from this NPM package: https://github.com/RIAEvangelist/peacenotwar

Either the Unity Hub or one of it's dependencies includes this package, which seems to copy this file to the Desktop. While I support the sentiment of the above package, I find it highly disturbing that it was added into the Unity Hub, knowingly or not, without explanation or permission.

 

Same here, found it created it every time I ran Unity Hub. I have since uninstalled the Unity for now. I have had issues with identity theft before and this is not cool.

 

Here's an article with some more info about it if you're curious. Definitely gave me a compromised scare at first too.

Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine | Snyk

Appears to largely be harmless, but also intentionally brings in vulnerable code so rather safe than sorry for me as well.

Edit:
Richard Fine on Twitter: "@hybridherbst @willgoldstone @RatKingsLair Hub team are on it. Hotfix available shortly." / Twitter

 

Oh.......................

Mmmmm......

edit: yeah thats not cool

gonna take me a unity break for a bit

 

Thank god I never updated from hub 2.4.5

 

So Unity is seriously updating their software without proofreading the code of the updated dependencies? So some almost random person can write some malicious S***-code on a stinky javascript that Unity uses as a dependency and it will end up running on my computer after Unity Hub update?

Has the whole world gone completely cuckoo or what?

 

Things can happen. And whilst this almost got me into a huge trouble, I dodged the bullet

But yes, maybe giving more attention to security is something we all need to be aware of.
This could have been a disaster.

 

Thats all you need to know about UnityTech professional skills... Unbelievable!