Bizarre ocurrence with UnityHub 3.1.0

I just updated my UnityHub to version 3.1.0 and upon restarting the application a text file was created on my desktop called “WITH-LOVE-FROM-AMERICA.txt”, the file is empty. Is this something I should worry about?

I tried Googling and searching in the forums but I haven’t found any information about this.

2 Likes

seems to be issue with using random node packages?
https://github.com/RIAEvangelist/peacenotwar

1 Like

I see now it seems harmless but was this something unknowingly or knowingly included in UnityHub? the first thing I feared was an attack. Did not need that.

at least its harmless, based on that repo info… but yeah, could had been serious issue.

coming from this library,
https://github.com/RIAEvangelist/node-ipc

2 Likes

Apparently Unity Hub auto updates to the latest available version and this behaviour can’t be disabled ( Unity HUB - prevent update ), so even if you can restore the previous version (mine was 3.0.0b5), next time you launch the hub the .txt will be created again.

Ok, just found that the auto update can be disabled. All you need to do:

  • Install your previous unity Hub version.
  • Locate and edit the app-update.yml file (just leave the url: value empty):
url: 
updaterCacheDirName: unityhub-updater```
5 Likes

Thanks! this is much better than suggesting to all my co-workers to stop using Unity Hub for a while

Thank you! Unity Hub is being a real pain since it auto updated to 3.0. No more auto updates for me!

Hey, just wanted to note that it actually was intended to be malicious for people living in certain countries. Though, it is entirely possible that the location check could be incorrect and affect people outside those countries.

Here is the github issue that shows the code, where it would re-write files on your system with hearts, effectively destroying the system and any attached drives. This would have been detrimental to anyone that doesn’t practice secure backups. https://github.com/RIAEvangelist/node-ipc/issues/233

Also, here is the NIST entry where it’s listed as a critical security vulnerability and as malware. NVD - CVE-2022-23812

Thankfully it’s solved now, and it actually shouldn’t have worked due to a rejected API key for location checking, but the code still existed in the Unity Hub and could have been triggered if that package was updated and included in Unity Hub.

4 Likes

Thanks for the detailed info. Much appreciated

So if it was installed, would it have erased everything with hearts by now? Or could that just kick around and happen randomly.

The malicious part that does something with the Russian IPs was blocked by the node-ipc developers a way before Unity received the package. Just the joke file passed to Unity Hub. It’s harmless but serves as an alert to the team about the trust of their code suppliers.

For our side as Unity users, it does nothing but include that file in the desktop, no need to panic.

Oh thanks! @SpockBauru
Well it sparked me to double check all of my backup systems, so that’s probably a good thing.
So if I use the code above to stop the Hub auto updating, how would you go about updating it in future?

Apart from completely eroding any trust I had for Unity software to be safe and secure. To learn they don’t even audit the code dependencies they include in their software is a nasty wake up call. All things considered it seems Unity were lucky this time. However it appears as though no-one actually knows if there could be anything malicious in the third party code dependencies they are using for the Hub, as they never audited them in the first place.

You say the malicious code was blocked by the node-ipc developers, yet I’ve seen some reports of the code having entered the wild. However I cannot validate those reports so I’m willing to be sceptical of them. Can you provide a link to any information that the code never made it out and into other software? It would certainly go a long way to restore some faith in the nodejs system.

2 Likes

I can only talk about unity hub client that I received on my PC, there’s an official statement about it: https://discussions.unity.com/t/875255

About other software, is impossible to know.

About nodejs system, is not safe, there’s no faith to put on it, and thousands of companies should stop using it immediately.

A while ago the libraries “faker” and “colors” were sabotaged by its own owner:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Now is the node-ipc:
https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

Edit: At the end of last year, two libraries were hijacked:
https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/

https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/

It really shows how vulnerable all the supply chain is.

2 Likes