Search Unity

Weird com.unity.postprocessing malware alert on Github

Discussion in 'General Discussion' started by gregoired, Jun 20, 2022.

Thread Status:
Not open for further replies.

  1. gregoired

    gregoired

    Joined:
    Apr 8, 2013
    Posts:
    20
    gregoired, Jun 20, 2022
    #1
    acorum likes this.

  2. VictorBwD

    VictorBwD

    Joined:
    Sep 14, 2019
    Posts:
    6
    Me too, but I got like 10 of these warnings in 2 repositories.
     
    VictorBwD, Jun 21, 2022
    #2

  3. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,054
    Yeah this is a problem even if it is a false positive. The description alone makes it imperative that Unity acts on it.

    However this is totally the wrong forum for such a post as its unlikely that anyone from Unity would see it. Thankfully the issue has already been posted to the Package Manager sub-forum here. This time it was related to Mathematics package, but a Unity developer has already replied saying its been flaggeed to the team so hopefully we will see some action quickly.

    It is concerning though, especially if this is not a false positive as the fact that multiple packages are being flagged suggests some shared code is at fault. Either that or someone has managed to false flag Unity packages in general as being a problem. Regardless hopefully we'll get some meaningful response from Unity and they wont sweep it under the carpet like the recent Unity Hub fiasco.
     
    Noisecrime, Jun 21, 2022
    #3

  4. starikcetin

    starikcetin

    Joined:
    Dec 7, 2017
    Posts:
    340
    Here is what I think happened:

    Some jackass created a virus with this package name and uploaded it to NPMJS. Dependabot doesn't know about Unity or UPM yet, so it thinks your package.json file uses the NPM format. It thinks you were using the package from NPMJS registry, which was malware; while you were using the package from Unity's UPM registry, which is not malware.

    There is a feature request on Github to make Dependabot support Unity and UPM: https://github.com/dependabot/dependabot-core/issues/4589
     
    starikcetin, Jun 21, 2022
    #4
    Noisecrime and JoNax97 like this.

  5. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,620
    It doesn't impact me so I didn't look any further, and can't find the link again, but I read a little about this yesterday.

    From memory, this is a false positive based on a library included by the Unity package. A different library elsewhere with the same name has been flagged as malware, and dependabot is flagging all projects which include a library with a matching name.
     
    angrypenguin, Jun 22, 2022
    #5

  6. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    9,052
    zombiegorilla, Jun 22, 2022
    #6
Thread Status:
Not open for further replies.