Malware Infiltrates Pidgin Messenger's Official Plugin Repository

The Pidgin messaging app removed the ScreenShareOTR plugin from its third-party plugin list after it was found to be used to install keyloggers, information stealers, and malware targeting corporate networks. BleepingComputer reports: The plugin was promoted as a screen-sharing tool for secure Off-The-Record (OTR) protocol and was available for both Windows and Linux versions of Pidgin. According to ESET, the malicious plugin was configured to infect unsuspecting users with DarkGate malware, a powerful malware threat actors use to breach networks since QBot's dismantling by the authorities. [...] Those who installed it are recommended to remove it immediately and perform a full system scan with an antivirus tool, as DarkGate may be lurking on their system.

After publishing our story, Pidgin's maintainer and lead developer, Gary Kramlich, notified us on Mastodon to say that they do not keep track of how many times a plugin is installed. To prevent similar incidents from happening in the future, Pidgin announced that, from now on, it will only accept third-party plugins that have an OSI Approved Open Source License, allowing scrutiny into their code and internal functionality.

What took them so long?

[Seven Spirals]

Always figured OTR was going to be a juicy target. I'm surprised it took them this long. No way any government would want you to take an IM they'd already compromised then use some "unbreakable" method to re-secure it. Ohhhhhh heeeeeeell no, they said.

Re:

[BigBrownChunx]

in this case OTR wasn't compromised, this new plugin was just remote running commands and uploading screenshots to a command and control server.

Re:

[Seven Spirals]

Oh, really? Sorry for the misrepresentation and it's not surprising. They rarely break the crypto. It's always something adjacent that gets hacked and keylogged.

Pidgin? OTR Plugin?

[Local ID10T]

Hello 20 years ago!

What's next? AOL CDs are compromised?

MS-Windows only

[markdavis]

>"The plugin was promoted as a screen-sharing tool for secure Off-The-Record (OTR) protocol and was available for both Windows and Linux versions of Pidgin"

What they failed to mention is that the malware only affects MS-Windows machines. Yet they made sure to mention the PLUGIN is available for "Windows and Linux". Hmm.

Re:

[BigBrownChunx]

The keylogging, screenshot sharing and remote command execution was in the Linux version of the plugin too https://x.com/ESETresearch/sta... [x.com]

Re:

[markdavis]

Hmm, that isn't good.
The article only talked about DarkGate, which affects only MS-Windows. Sounds like the script stuff is not as bad, but still dangerous.