Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. We have updated the language to the Editor Terms based on feedback from our employees and community. Learn more..
    Dismiss Notice
  3. Unite 2023 Registrations are now LIVE! We are thrilled to announce that Unite 2023 Registration is now live and open for all!
    Dismiss Notice
New Forum User Notice Update to the Unity Editor Software Terms Unite 2023 Registrations are now LIVE!

Malware in com.unity.textmeshpro

Discussion in 'UGUI & TextMesh Pro' started by yenmoc, Jun 21, 2022.

  1. yenmoc

    yenmoc

    Joined:
    Sep 21, 2019
    Posts:
    6
    Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

    upload_2022-6-21_9-37-16.png

    This morning I got a dependency warning from git hub don't know if this has any effect? both unity brust and TMP packages receive malware warnings,
     
    yenmoc, Jun 21, 2022
    #1
    RedHillbilly likes this.

  2. Techcrafter_JW

    Techcrafter_JW

    Joined:
    Jan 10, 2019
    Posts:
    3
    I got many of those emails too and now I'm very worried! Is there actually malware inside those packages or is this just a false trigger?
     
    Techcrafter_JW, Jun 21, 2022
    #2

  3. Stephan_B

    Stephan_B

    Unity Technologies

    Joined:
    Feb 26, 2017
    Posts:
    6,588
    There is nothing in the TMP package itself that should be of concern. You can look through the package which only contains the script files and assets. Ie. nothing out of the ordinary.

    This is likely some strange false trigger.

    Please be sure to grab packages from within the Editor via Package Manager.
     
    Stephan_B, Jun 22, 2022
    #3

  4. fherbst

    fherbst

    Joined:
    Jun 24, 2012
    Posts:
    801
    @LeonhardP one more. There's MANY of these right now that people are obviously confused about
     
    fherbst, Jun 27, 2022
    #4

  5. RedHillbilly

    RedHillbilly

    Joined:
    Mar 24, 2014
    Posts:
    38
    Got the message as well.
    Is it possible that a package with the exact same name but unrelated to textmeshpro has been uploaded to npm, and flagged there? Github then thinks this is the package referred to in the project file.
    Found this npm package:
     
    RedHillbilly, Jun 30, 2022
    #5
    yenmoc likes this.