Official Unity Hub 3.1 Release Overview

I updated to Hub 3.1.0 on macOS. macOS has a feature that by default prompts the user for program-specific file access permissions. Hub asked for permissions to access the Desktop (allowed) and the OneDrive folder (rejected). It ended up creating an empty text file on the Desktop.

From a quick search, it looks like an updated Node module in this release did something.
https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1068677029
edit: Unity Hub.app/Contents/Resources/app.asar definitely has the script that does this.

 

Why does it also include a text file called WITH-LOVE-FROM-AMERICA.txt on your desktop after you update?

 

maybe because it was made with love ))

 

Turns out Unity need to blacklist using node-ipc - the author has been up to some really dodgy stuff, this being the least of it - not long ago he had code in that would wipe data from Russian systems and when caught out tried backtracking massively and making light of it. !!!!!!!!!!!! Please do something to warn USERS besides publishing new versions · Issue #7054 · vuejs/vue-cli (github.com)

 

Ah yes, the only time I update Unity Hub, it runs malicious third party code in my work computer. Never again

 

There's no way to prevent unity hub to auto update?

I mean, Its being a real pain since it updated from 2.4 to 3! I had login bugs, black window, can't create a new project with Unity 2019.1, and now I almost wiped out my entire PC because a suspicious file appeared in the Desktop that was just a joke from some random hacktivist!

C'mon! Make the updates optional!

 

Add the choice of LIGHT theme!

#39

 

Oh my god get off Electron already. The JS ecosystem is toxic, and any auditing that finds anything okay with it is broken to begin with. Nothing malicious happened this time, but somebody being able to just put a file on users desktops because you pulled in some dependency shows that you have zero control over anything, and next time it'll be a keylogger or a bitcoin miner or whatever.

Fire all the project managers that thought this was a good idea, burn the codebase to the ground, and build a Hub from scratch in a decent environment. You have c++ engineers, you have a game engine turning into a general purpose platform. Both of those are better choices than your current garbage fire.

And it's not like you'd lose much - you've been unable to deliver features of fixes for the Hub at anything else than a glacial speed since it shipped, with what seems to be several different teams and attempts at reboots. It's just not working - not for us, not for you, not for anyone.

Hell, it's taken you longer to make a three page app that lists folders, runs other programs, and manages a login than it takes to make a big multiplayer game.

 

How can we be sure, that this did not install the code mentioned in the link from sssembler or any other malicious functions!?

 

Today was my shipping day and thanks to this incident, it has been pushed to next Tuesday. So no you can't be sure until you make it sure.

We are wiping the system and reverting back to a backup.

This sucks.

 

Today it created a folder with the name "WITH-LOVE-FROM-"

but tomorrow, with the squealing "Save Ukrаinе" - it will remove or encrypt something important on ALL machines with Russian-locale around the World, not only in the Russian Federation!
-and what will you do after that?

 

I just built and set up a new, expensive machine. Now I'm wondering if I should wipe it clean. And maybe get rid of the Hub too if it's possible to use Unity without it.

 

I’m in a similar situation, and the last thing I i have time for now is to reinstall a machine completely. But maybe I should??

 

So far it seems like it only creates the .txt file, but honestly I am also considering restoring from a backup. Would be nice if we get a more detailed statement from the unity hub devs.

 

I am not going to take the chance. Can't say for you but no one can guarantee anything. It will be a nightmare trying to fix a Steam release with a malware on it. I mean, how would I even begin...

BTW, Unity should really stop trying to hide this and post a blog announcement, send emails etc. Before something sad happens. This needs to be put on a bright neon light up in the air so that people notice it rightaway. Posting a forum reply is not enough. It took me a while to even find that post. Also, I noticed the .txt file just before I uploaded my files...so I was just lucky. Can't say that it would be the case for many others.

I always have Kaspersky on so I am not super worried, but we did have a breach and now measures have to be taken. I have to be responsible for publicly released files. Especially if my clients are paying.

 

Right. So you use Kaspersky to shield you from (other) malware?

 

that's epic

 

I have the whole server/network firewalled with it so technically it should...although if signed software like Unity Hub has it...don't know if it is still effective. Its like your security guard letting a trusted guest in but secretly he was a terrorist..

 

Your security guard might also be a double agent: https://www.bloomberg.com/news/arti...rsky-software-risks-being-exploited-by-russia

 

Just an ordinary hysteria.

 

Well, I won't be using Kaspersky after the subscription's end. Don't want to get in the middle of an international security breach.

 

You are absolutely right.
Just so you know, there is a native alternative to unity hub written in C++ https://github.com/Ravbug/UnityHubNative
I can't say it works amazingly, but it has potential

 

Unfortunately at this point it’s more likely we get the Unity Editor rewritten on Electron instead of getting a small team to write a single small downloader / manager without it relying on a bunch of S***ty libraries.

 

Also it can potentially do much more than put a txt file on the desktop.

https://www.bleepingcomputer.com/ne...age-deletes-files-to-protest-ukraine-war/amp/

 

Any ETA when you're going to improve the search, that it not only searches the unity project folder, but in the entire path? It would a massive QoL improvement imo.

See https://forum.unity.com/threads/improve-search-functionality.794781/#post-6017576 for details.

 

"Germany’s BSI said a Russian software company could conduct operations itself, be used as a tool for an attack or be spied on without its knowledge."

A perfectly valid assessment, the Russians *could* do that. Shockingly this hypothetical scenario is a long-standing practice in the US. The Edward Snowden revelations proved that the US government can lawfully utilize secret-court orders to force private companies to create backdoors in their hard- and software while blackmailing disclosure.

Want to be safe? Trust no one. Especially not the Unity Hub after this incident.

 

Wow, the fact that someone went to the effort to write this says something. Thanks for sharing, I might take a look. Definitely jumping off hub after this.

 

Kind of feel like this needs to be a CEO statement, but what is done is done. Thank you LeonhardP for the announcement. Hopefully next time Unity handles this differently.

As for the hotfix, seems to be working good. And 4 hour turnaround is a solid job. Thank you.

 

Seriously jjejj87. Chances are using Kaspersky for protection is like stopping fire with kerosene. Given who is in charge of that company and its ties...

But let's be real. I could be a tin hat paranoid but I don't think there is any trustworthy major power government out there. It probably doesn't matter which antivirus you pick. Or OS. Or just about any piece of closed source s/w with high coverage. You can bet it probably has some deliberately planted back doors secretly forced by governments around the world. Yet, some governments look like lesser evil to me.

But back on topic. I think the biggest issue with this node-ipc 'protestware' debacle is politics taking over s/w. The 'politware'. Highlighting just how easy and dangerous supply chain attacks could be.

Some argue these are just few isolated cases blaming malicious package maintainers. Pretending it is nothing that can't be sorted by code review / auditing etc. But what if the reviewer himself has malicious intents? What about employees with malicious intents? What about basic human error that may still let crap slip through the fingers? What about small teams who simply don't have Unity's resources to audit every 3rd party piece of code they plug into their products?

Next will be Blender with its thousands of 3rd party Python modules. Or e.g. MS Teams which is Electron Node app too btw. You name it.

I think this topic is a pandora box going far beyond Unity's sandbox. Perhaps the first step with tackling this could be criminalizing any intentional harm and significantly rising the liability bar. You know ... making it impossible to hide behind:

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED ...

 

How can I stop from installing this _already_loaded_ nastiness?

- I want to do this because I have no idea what exactly from the versions (corrected or not corrected)
was loaded with a Hub and now prepare for the installation after restarting the application!

And I f@cking do not need problems with the "third-party software" I have here, on MY computer,
just because YOU - Unity Team - got into Politics and decided to "support" someone!

 

You should update to 3.1.1 right now since is the safe version.

After that, take a look on this to stop auto updates: https://forum.unity.com/threads/bizarre-ocurrence-with-unityhub-3-1-0.1253835/#post-7969725

About the politics .txt file in your Desktop, it wasn't made by Unity team, it is a bigger problem that affects lots of systems outside Unity. Some guy that maintain a dependency that literally hundreds of thousands of developers uses sabotaged its own package with this file... Unity just uses this basic package like everyone else (IMO this standard behavior is the real issue).

Just to be clear, I'm not related to Unity team and I think that they should have a better security. And also make the auto updates optional.

 

Try to comprehend stuff before you go on a rant.

You have 3.0.1 installed, which does not include that manipulated node-ipc package. 3.1.1 is the hotfix that fixes said issue introduced in 3.1.0. Just update to 3.1.1 - this doesn't affect you at all anyway.

Also, this has nothing to do with Unity going into politics. This node-ipc module is used for inter-process communication and widely used by many Node.js developers. Unity is not the only entity affected by this.
.

 

Just please add an easy way to switch accounts!
It's a pain that in order to log out an account and log in another I have to log out in the Hub, log out in the browser, login in the browser and then the Hub catch the new session.
Just keep the credentials offline, please!

 

A hub/launcher/license checker has even less reason to use nodejs / electron though.

 

Getting rid of the dependency hell does indeed seem like a good idea, given these incidents.
Although downloading and executing an alternative Hub from another random guy on the internet does also not exactly fill me with much confidence before that one has been properly vetted.

@Gennady / @matthewpruitt / @LeonhardP Is there maybe a chance that the Unity Hub team could do this and possibly replace the current Hub app with it if this native version is indeed safe and more performant on top? (Sorry for pinging all of you, not sure who's watching the thread/ responsible for this.)

 

This is unfortunately missing a few features that would make it a proper replacement of Unity Hub.

But I am quite happy with how fast UnityHubNative is. Not at all surprised though. I would LOVE for the Unity Hub to be a native app instead of an electron app. Quite surprised by this choice to be honest, of course it makes multiplatforming easier but it always end up with a worse user experience...

 

Thanks for the awareness of a native run substitute. That would be good enough for me until Unity fixes up the Mac M1 (2020 model Monterey 12.3) Unity Hub App Crash, which I posted at the Mac Unity Hub Crashed thread or some similar name.

 

Alternatively, here's a fresh idea: I hear there's this cool new cross-platform engine that all the kids are using these days and while it started as a game engine it is being used for all kinds of apps nowadays. Although the dev who ends up developing the new launcher using this pretty unknown engine should be careful, I hear their launcher nearly scraped by exposing all their users to some pretty bad malware the other day.

Hint: Just rebuild Unity Hub using the Unity Engine. Creating a 3-page app with some buttons and text is not rocket science. It might even result in getting to know a few things about the Unity workflow which could be improved, since Unity still doesn't create a game or two of their own, like another certain game engine company starting with "U"

 

How do I get rid of this little cloud "Source Control" icon?


It is appearing in a project that we uploaded to Unity Collaborate once a long time ago, but have since archived/deleted it and turned off Unity Collaborate. Why is this badge still persisting? It does not appear on any of our other projects and is confusing.

 

This is utterly embarrassing.

You must understand that we cannot trust you to ensure no malicious code will be executed in the future, if you failed to catch this?

As @Baste said, get off Electron, you're just counting down the days until a more severe issue raises its head. You have the skills and the resources to build this natively. This is a very simple product and you don't need nor want to be auditing your list of however-many-dozen dependencies, just to run and manage some other software you ship.

From the outside, it feels like Unity are hiring more and more from the webdev world, who bring their bloated technology stacks with them, and it's responsible for a lot of the poorer quality additions to the engine that are (still) arriving at magnificently slow pace, because they're dramatically overcomplicating a simple enough problem.

 

Wow, I just tried the other UnityHubNative and it's great! It's opens pretty much instantly

 

is there a way to get light mode back? my eyes have difficulty in dark mode

 

It's listed as "Under Consideration" in the roadmap.
.

 

Thanks!

 

How long would that take to do?

 

in the meanwhile, there is Unity Hub patcher, that replaces default css style with light theme,
or you can do it manually yourself and edit the template html.

 

As an employee of a company where security is paramount and we have a lot of private and strictly protected projects, not being informed directly by Unity of this breach was a serious security concern for us internally today. I only saw about this issue when I happened to see an old tweet about it and I had the breached version of the software on my work device unknowingly.

Some kind of notification to Hub users of this breach via an email or direct contact would put our minds at ease for using Unity moving forward. We are taking steps to alter our internal processes to proof important software updates due to this