Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Malware detected in Unity packages (unofficial) information thread

Discussion in 'General Discussion' started by m0nsky, Jun 21, 2022.

Thread Status:
Not open for further replies.
  1. m0nsky

    m0nsky

    Joined:
    Dec 9, 2015
    Posts:
    257
    About a week ago (June 15th) I started getting these e-mails in the middle of the night:



    Upon checking my repositories, I was greeted with the following message:



    I searched discord & the forums but could not find any more information. I did some digging, and these turned out to be false positives, no problem.

    What seems to have happened:
    - Someone started creating a bunch of fake packages on the npm registry, using exactly the same names as the official Unity packages all of us are using in our project(s)
    - The packages contained malware, and have been reported, flagged and removed

    Problem solved, however:

    - The names of these malicious packages are now known in their vulnerability database. If you have dependabot enabled in your repository security settings, github automatically scans your repository to check for any known malicious packages. However, because these fake packages have exactly the same names as the official unity packages, github now thinks all projects contain malicious packages, and is sending out false positive warning emails to everyone.

    The official Unity packages are fine. If you have tried manually downloading any of these packages from an unofficial/untrusted source, please re-check the package url to see if has been flagged as malware.

    Edit
    Just noticed there is a similar thread in the package manager sub forum over here. The mods will probably know what's best to do here.
     
    Last edited: Jun 21, 2022
    lmbarns, CodeSmile and elZach like this.
  2. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,050
    Thanks for the added details, may I suggest you repost this information in the Package Manager thread you mention since that already has the eyes of a Unity developer and they are investigating.

    Though I am surprised a simple name match is enough to get it flagged, I would have assumed some checksum or something, but then I guess with NPM packages regularly get updated so maybe a checksum is too lax to rely on.
     
    m0nsky likes this.
  3. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    9,042
Thread Status:
Not open for further replies.