Possible malware campaign targeting FOSS audio plugins on Github

[LAM]

In the last month I discovered a couple of repositories posing as legit FOSS audio plugins but are trying to spread some likely Lua malware.

The legit audio plugins repos targeted were, until now:
https://github.com/SpotlightKid/waxman
https://github.com/jurihock/robotone

The campaign is usually done in 3 steps:

1. A copy of the repo is created on Github without forking the original one by a newly created user

2. The new commits added to the fake repo are usually README updates with some AI crap, resembling/reinterpreting the original plugin's README. It's done multiple times over several days so the repo gets among the recently active repos.

3. A few days later a zip file is uploaded in the Releases section. It contains luajit.exe for Windows, along with lua51.dll, a .txt file containing obfuscated Lua code and a .bat or .cmd file to execute the code

The fake repos are down now.

It doesn't seems a well thought campaign, their way of trying deceive the user into running their program is highly suspicious to the mildly security aware audio user and it seem to target only Windows for now.

Still, I found it quite concerning, just wanted to spread the word.

[assembler]

@LAM
Thanks for these important informations.
Also good to know, that Linux plugins are not targeted til now.
Software for "musicians" are popular - many people making music.
And plugins are the way to distribute things in the music software world.
It is a small line between beeing helpful and positive and just being full of anger.
There is much negativity going on and yeah, you can blame me for being angry about certain things.
But there are many people now thinking they know what is right and who are seeing themselves at the center of everything.
And these people are starting a fight now or are preparing for it.
I see two groups: the one group who tries to be positive, authentic, upright and friendly and the other group trying to destroy (also bad things) and claiming that being friendly and being "woke" is just bullshit.
There were allways these two groups, I guess.
Maybe we can start a topic where we(you - I am not smart enough) are starting to explain how to make sure, software is not dangerous.
Maybe a little ldd tutorial?

[LAM]

@LAM
Maybe we can start a topic where we(you - I am not smart enough) are starting to explain how to make sure, software is not dangerous.
Maybe a little ldd tutorial?

I'm not a developer, just a normal user that likes to hunt for FOSS linux plugins, it just happened that I spotted a few suspicious repos, with the same name of plugins made by developers I trust.
There is a lot of people here, much better than me, that can be good at explaining technical details.

[assembler]

people are allways tending to get personal.
This is a topic and we should talk more often here about malware and attemps to attack the foss world.
Offtopic: I once found a "piece of software" with the only pupose to show hate to one person who was allready under attack.
I wrote to github and some days later I got the answer that they will take care of the problem.
But they (github) never did anything and this hate software is still online and the person which gets targeted is now living on the streets.
Bottom line: don´t expect github to do anything except chasing money for Microsoft Corp.

[LAM]

Bottom line: don´t expect github to do anything except chasing money for Microsoft Corp.

I don't love Microsoft either, but I have to recognize that Github support was very fast in blocking the fake repos. Kudos to them.

[Axel-Erfurt]

Security vulnerability database
GitHub Advisory Database

[LAM]

Security vulnerability database
GitHub Advisory Database

What are you suggesting, exactly?

[Axel-Erfurt]

Simply show that there is a database where such dangerous repositories are recorded.

[LAM]

Simply show that there is a database where such dangerous repositories are recorded.

Dangerous repositories? It's about CVEs and security advisories.

What happened here is not about those, there is no vulnerability exploited here, unless you consider a vulnerability a possible unsuspecting user, but at that point there is no database that can save you.

[assembler]

CVE database is a good thing.
But some people may think, that vulnerabilities are weak and weak is woke - probably something like that.

https://www.heise.de/en/news/US-cuts-CV ... 53333.html

Lets spend some time with this database, as long as it is still existing.