Comment by amipwndidunno
2 days ago
Why the hell doesn't the article say WHICH plugins were affected so users can know if they were likely affected?
2 days ago
Why the hell doesn't the article say WHICH plugins were affected so users can know if they were likely affected?
The specific plugins don't matter for this attack. The attack relies on the user accepting a shared vault and trusting the shared plugins. A shared vault can contain plugins that don't come from the official directory.
It does.
> It enables malicious versions of legitimate Obsidian plugins ('Shell Commands' and 'Hider') that are present in the shared vault.
Thanks! I also scanned the detailed article looking for which plugins were affected and wasn't able to find it. Came to the comments looking for a quicker answer.
Because no plugin is affected. This isn't a supply chain attack. The headline is deliberately obtuse. Here's the breakdown:
1. Plugins are stored inside your vault.
2. If you open a vault from an untrusted source, it could contain custom/malicious plugins that will run things on your computer.
3. Then end.