I just updated my UnityHub to version 3.1.0 and upon restarting the application a text file was created on my desktop called “WITH-LOVE-FROM-AMERICA.txt”, the file is empty. Is this something I should worry about?
I tried Googling and searching in the forums but I haven’t found any information about this.
I see now it seems harmless but was this something unknowingly or knowingly included in UnityHub? the first thing I feared was an attack. Did not need that.
Apparently Unity Hub auto updates to the latest available version and this behaviour can’t be disabled ( Unity HUB - prevent update ), so even if you can restore the previous version (mine was 3.0.0b5), next time you launch the hub the .txt will be created again.
Hey, just wanted to note that it actually was intended to be malicious for people living in certain countries. Though, it is entirely possible that the location check could be incorrect and affect people outside those countries.
Here is the github issue that shows the code, where it would re-write files on your system with hearts, effectively destroying the system and any attached drives. This would have been detrimental to anyone that doesn’t practice secure backups. https://github.com/RIAEvangelist/node-ipc/issues/233
Also, here is the NIST entry where it’s listed as a critical security vulnerability and as malware. NVD - CVE-2022-23812
Thankfully it’s solved now, and it actually shouldn’t have worked due to a rejected API key for location checking, but the code still existed in the Unity Hub and could have been triggered if that package was updated and included in Unity Hub.
The malicious part that does something with the Russian IPs was blocked by the node-ipc developers a way before Unity received the package. Just the joke file passed to Unity Hub. It’s harmless but serves as an alert to the team about the trust of their code suppliers.
For our side as Unity users, it does nothing but include that file in the desktop, no need to panic.
Oh thanks! @SpockBauru
Well it sparked me to double check all of my backup systems, so that’s probably a good thing.
So if I use the code above to stop the Hub auto updating, how would you go about updating it in future?
Apart from completely eroding any trust I had for Unity software to be safe and secure. To learn they don’t even audit the code dependencies they include in their software is a nasty wake up call. All things considered it seems Unity were lucky this time. However it appears as though no-one actually knows if there could be anything malicious in the third party code dependencies they are using for the Hub, as they never audited them in the first place.
You say the malicious code was blocked by the node-ipc developers, yet I’ve seen some reports of the code having entered the wild. However I cannot validate those reports so I’m willing to be sceptical of them. Can you provide a link to any information that the code never made it out and into other software? It would certainly go a long way to restore some faith in the nodejs system.