Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Malware in com.unity.textmeshpro

Discussion in 'UGUI & TextMesh Pro' started by yenmoc, Jun 21, 2022.

  1. yenmoc

    yenmoc

    Joined:
    Sep 21, 2019
    Posts:
    6
    Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

    upload_2022-6-21_9-37-16.png

    This morning I got a dependency warning from git hub don't know if this has any effect? both unity brust and TMP packages receive malware warnings,
     
    RedHillbilly likes this.
  2. Techcrafter_JW

    Techcrafter_JW

    Joined:
    Jan 10, 2019
    Posts:
    3
    I got many of those emails too and now I'm very worried! Is there actually malware inside those packages or is this just a false trigger?
     
  3. Stephan_B

    Stephan_B

    Joined:
    Feb 26, 2017
    Posts:
    6,595
    There is nothing in the TMP package itself that should be of concern. You can look through the package which only contains the script files and assets. Ie. nothing out of the ordinary.

    This is likely some strange false trigger.

    Please be sure to grab packages from within the Editor via Package Manager.
     
  4. fherbst

    fherbst

    Joined:
    Jun 24, 2012
    Posts:
    802
    @LeonhardP one more. There's MANY of these right now that people are obviously confused about
     
  5. RedHillbilly

    RedHillbilly

    Joined:
    Mar 24, 2014
    Posts:
    39
    Got the message as well.
    Is it possible that a package with the exact same name but unrelated to textmeshpro has been uploaded to npm, and flagged there? Github then thinks this is the package referred to in the project file.
    Found this npm package:
     
    yenmoc likes this.