Customer Advisory - FOSSHub Downloads Compromised

We just learned of a major compromise of FOSSHub, where a hacker was able to replace downloads with malicious binaries that overwrite your MBR (Master Boot Record). This will create issues for computers when they reboot. This issue appears to be one that is recoverable. Since we do not know the extent of the compromise yet, we are sharing all packages that could potentially be affected (even though the hacker has only claimed a few).

Articles

If you are using the community repository for packages (https://chocolatey.org/packages), please ensure that you have VirusTotal turned on as an added measure of protection. See https://chocolatey.org/docs/features-virus-check for details. Even with VirusTotal checks turned on, it appears that most scanners will not detect it. For that reason you may wish to turn down the number of positives to 1 until this is resolved. For reference, see https://www.virustotal.com/en/file/a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032/analysis/1470182253/.

choco config set virusScannerType VirusTotal
choco feature enable -n virusCheck
choco config set virusCheckMinimumPositives 1

Avoid - Chocolatey.org Packages downloading from FOSSHub without checksums

These are packages that should be avoided at all costs. Do not install or upgrade any of the following:

Complete List - Chocolatey.org packages downloading from FOSSHub

This represents an entire list of all packages, including those with checksums. Packages with checksums will verify the binary and not allow the install during detection. Please do not ignore checksums for the following packages as it could cause disastrous results.

https://chocolatey.org/packages/audacity
https://chocolatey.org/packages/avidemux
https://chocolatey.org/packages/classic-shell (only one older version - 4.1.0.20141002)
https://chocolatey.org/packages/ConEmu (only two older versions - 14.9.14.0 and 14.9.22.0)
https://chocolatey.org/packages/datacrow (package has checksum protection)
https://chocolatey.org/packages/freefilesync/6.9 (only this older version)
https://chocolatey.org/packages/hwinfo.install (checksum protection)
https://chocolatey.org/packages/hwinfo.portable (checksum protection)
https://chocolatey.org/packages/IrfanView (package has checksum protection)
https://chocolatey.org/packages/irfanviewplugins
https://chocolatey.org/packages/lightalloy
https://chocolatey.org/packages/mkvtoolnix
https://chocolatey.org/packages/mp3directcut
https://chocolatey.org/packages/palemoon (all older versions starting from 26.2.2 back)
https://chocolatey.org/packages/smplayer
https://chocolatey.org/packages/visipics

Possible Action Necessary, Especially for Pro Users

If you are running `choco upgrade all`, please ensure you pin any packages in the list above so they are not upgraded to possibly malicious binaries.

For example: choco pin audacity
Run choco pin -h for details

Checksum Requirement on Roadmap for Community Packages

We have been moving towards requiring checksums on all packages that download binaries, especially packages that use http instead of https for downloads. This event may move up the timeline on that requirement. We will move choco clients to a default of not installing any package that doesn't include a checksum if it comes from a remote source, but provide configurable overrides (for those that need the functionality).