Customer Advisory - FOSSHub Downloads Compromised

We just learned of a major compromise of FOSSHub, where a hacker was able to replace downloads with malicious binaries that overwrite your MBR (Master Boot Record). This will create issues for computers when they reboot. This issue appears to be one that is recoverable. Since we do not know the extent of the compromise yet, we are sharing all packages that could potentially be affected (even though the hacker has only claimed a few).

Articles


If you are using the community repository for packages (https://chocolatey.org/packages), please ensure that you have VirusTotal turned on as an added measure of protection. See https://chocolatey.org/docs/features-virus-check for details. Even with VirusTotal checks turned on, it appears that most scanners will not detect it. For that reason you may wish to turn down the number of positives to 1 until this is resolved. For reference, see https://www.virustotal.com/en/file/a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032/analysis/1470182253/.
 
  • choco config set virusScannerType VirusTotal
  • choco feature enable -n virusCheck
  • choco config set virusCheckMinimumPositives 1

Avoid - Chocolatey.org Packages downloading from FOSSHub without checksums

These are packages that should be avoided at all costs. Do not install or upgrade any of the following:

Complete List - Chocolatey.org packages downloading from FOSSHub

This represents an entire list of all packages, including those with checksums. Packages with checksums will verify the binary and not allow the install during detection. Please do not ignore checksums for the following packages as it could cause disastrous results.

 

Possible Action Necessary, Especially for Pro Users

If you are running `choco upgrade all`, please ensure you pin any packages in the list above so they are not upgraded to possibly malicious binaries.
  • For example: choco pin audacity
  • Run choco pin -h for details

Checksum Requirement on Roadmap for Community Packages

We have been moving towards requiring checksums on all packages that download binaries, especially packages that use http instead of https for downloads. This event may move up the timeline on that requirement. We will move choco clients to a default of not installing any package that doesn't include a checksum if it comes from a remote source, but provide configurable overrides (for those that need the functionality).
Copyright © 2016 RealDimensions Software, LLC, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list