FossHub serves up MBR-compromising versions of Audacity and Classic Shell
Free project hosting service FossHub.com has been the target of an attack, with hackers replacing the downloads of two of its largest listed projects with a Master Boot Record (MBR)-overwriting Trojan.
Audio editing and recording software Audacity and Windows' user interface open-source software Classic Shell were both affected on Tuesday, with hackers deploying a copy of both downloads that contained the malware, which renders a computer unbootable.
According to Audacity, the hacked copy was live for approximately three hours on FossHub.com, with Audacity spokesman James Crook explaining in a post that hackers obtained the password of one of its developers and used it to upload the malware.
FossHub said it reacted promptly to the Audacity installer, but several hundred users were able to download the malware-infected version of Classic Shell, with the latter downloaded approximately 300 times.
"Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage," Classic Shell said.
"The attackers tried to gain access to DNSMadeEasy (our DNS provider), to CloudFlare, personal emails, CDN services etc. The login-logs shows no successful logins, only failed attempts."
The FossHub site remains down as the team moves through the process of reinstalling, amending access rights, passwords, and implementing new security rules.
"I would like to say that we 'apologise' but I would lie not to admit it is the worst day ever for me (personally) and all FossHub team members," a spokesperson, Sam, said on behalf of FossHub.
"After this incident, everything will change on our side. I am disappointed that despite of trying to build the image of one of the cleanest sites on the web we are here."
Audacity confirmed it has been slow to implement additional security due to the "lack of funds to implement stronger processing power".
"We are a community of developers, documentation writers, support, and help people, not a commercial outfit with a dedicated security team with strong security protocols," Crook wrote.
"We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organisation.
"In many ways Audacity is a soft target for hackers -- and attractive as a target because of the large number of downloads," Crook added.
Audacity has since replaced the 2.1.2 hacked Windows installer and disabled the hacked account on FossHub.com.
Classic Shell site administrator Ivo provided those affected with steps to rectify the corruption on its forum.
It has since been confirmed that Oldfoss.com was also compromised.