We just learned of a major compromise of FOSSHub, where a hacker was able to replace downloads with malicious binaries that overwrite your MBR (Master Boot Record). This will create issues for computers when they reboot. This issue appears to be one that is recoverable. Since we do not know the extent of the compromise yet, we are sharing all packages that could potentially be affected (even though the hacker has only claimed a few).
If you are using the community repository for packages (https://chocolatey.org/packages), please ensure that you have VirusTotal turned on as an added measure of protection. See https://chocolatey.org/docs/features-virus-check for details. Even with VirusTotal checks turned on, it appears that most scanners will not detect it. For that reason you may wish to turn down the number of positives to 1 until this is resolved. For reference, see https://www.virustotal.com/en/file/a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032/analysis/1470182253/.
choco config set virusScannerType VirusTotal
choco feature enable -n virusCheck
choco config set virusCheckMinimumPositives 1
Avoid - Chocolatey.org Packages downloading from FOSSHub without checksums
These are packages that should be avoided at all costs. Do not install or upgrade any of the following:
Complete List - Chocolatey.org packages downloading from FOSSHub
This represents an entire list of all packages, including those with checksums. Packages with checksums will verify the binary and not allow the install during detection. Please do not ignore checksums for the following packages as it could cause disastrous results.
Possible Action Necessary, Especially for Pro Users
If you are running `
choco upgrade all`, please ensure you pin any packages in the list above so they are not upgraded to possibly malicious binaries.
- For example:
choco pin audacity
choco pin -h for details
Checksum Requirement on Roadmap for Community Packages
We have been moving towards requiring checksums on all packages that download binaries, especially packages that use http instead of https for downloads. This event may move up the timeline on that requirement. We will move choco clients to a default of not installing any package that doesn't include a checksum if it comes from a remote source, but provide configurable overrides (for those that need the functionality).