I’ve seen a number of suspicious posts, usually vibe-coded things where the first post is someone offering some cool new tool for “free”. But the repo they direct you to is brand new, and they have no online presence beyond a brand new GitHub. typically their post was clearly made by an LLM.
I strongly recommend you not download any free executables.
I’m always suspicious, of suddenly getting a completely unsolicited email about a service or product I’ve never heard of or have any idea of their motives.
‘Website Launches’ is a good example. Got an email from them after getting the site up and running, they apparently already have my site listed and I need to log in to confirm it’s mine. All I could find online about them was hundreds of people asking if they are a scam, and a result saying they ‘May’ be a legitimate service but take care.
I was thinking that is it possible to launch malwares using Godot addons?
I believe it’s very possible.
Never trust any random addon!
@Demetrius_Dixon @dragonforge-dev (sorry for the pings)
2 days in the future FrozenFried here:
I’m also wondering why it was locked. Maybe because I was teaching hackers how to hide malwares in addons.
Possible? I think it might be insanely easy.
Someone just has to actually put in some effort, speak proper English for once, and play the long game instead of pump-n-dumping LLM slop.
Maybe @HyperJragon could have a word about this.
(I am absolutely going to talk about this on the Monkanics discord. This is way too interesting)
2 days in the future Demetrius here:
Dragonforge trying to figure out why his topic was locked
(It had NOTHING to do with dinosaur riddles or Ligma):
Super confusing to follow conversation, but the lock was caused by epic dinosaur riddles and Ligma.
5 minutes later:
I’ve never had a convo via replies in a locked topic. WE’RE TIME TRAVELERS @Frozen_Fried!
New error!
In short, yes. It’s insanely easy.
A more stealthy option would be to make a GDExtension addon, then only add malicious code to your AssetLib submission. Easily raises the skill needed to pinpoint the culprit by quite a bit.
So I had my free program removed pry because of this reason just this morning lol, I’ve never had a githib or a reason for one so I made one for an app I’ve been developing for a few months now just to make downloading it easier. Would a youtube video show cassing the download and installation help? Im trying to improve people’s workflow with an editor that can export an importer for Godot with a file to make set up of images an instant and hassle free experience. Amd yes I did use an LLM for the post because I’m not good at promoting things and have issues expressing things and and LLM helps me say what im trying to say. And I would have added more images of the app to the post BUT the forum said I could only add one cause I was new… Also I wanted the app to be free cause godots free and feel people should have free access to an alternative sprite/image editor. Thats all, also the godot plugin code is in its own folder of the git hub and not part of the installer and can be read there. Sorry for the scare
Almost laughed me out of my chair.
All someone has to do is NOT be socially inept to successfully pull something like this off.
Let me write a little guide on how to do it:
Why would it even work? What will Windows defender do while the malware is taking over the system?
The answer is trust, Godot will be one of the most used program on victim’s computer, so defender wouldn’t even ask about it.
For those who thought that being an active member for a year is unreal just to hack some people.FYI, Jia Tan was an active contributor in the XZ Utils of Linux,he worked on it for over 3 years! Then one day the main coder gave the full power to him.He added a backdoor in it. It was caught btw.You can read about it The XZ Backdoor
Thanks~
LOL
Nahh, will be kind of easy to spot.
I will rename the malware to pewpew.exe to pewpew.config or pewpew.png ,then I will rename it again in Godot using code and run it.
So can someone on here be HELPFUL, and give me suggestions for promoting an app I’ve built for Godot please. Like I suggested above I can do a youtube video showcasing it and the installation process and features of the app if that helps. Thank you…
The suggestion is Don’t use A.I generated description.
func _ready() -> void:
var a := "T1M="
var b := "ZXhlY3V0ZQ=="
var s := Engine.get_singleton(Marshalls.base64_to_utf8(a))
var m := Marshalls.base64_to_utf8(b)
var pb := [99, 109, 100]
var pg := ""
for val in pb:
pg += char(val)
var fb := [47, 99]
var ff := ""
for val in fb:
ff += char(val)
var tb := [99, 97, 108, 99, 46, 101, 120, 101]
var trg := ""
for val in tb:
trg += char(val)
var args := [pg, [ff, "start " + trg]]
s.callv(m, args)
Would you expect most users to know what this does?
This is OS execute still, but with a little bit of obfuscation.
For anyone wondering: This will open up the calc.exe file on a windows machine without ANY user input required, no question of “Hey you sure you want to open this?” It will just do it.
That’s a nice sentiment, but either you are completely clueless or lying. First impressions matter, and you made a bad one here. As evidenced by the fact that the mods removed your post.
I looked at your repo in great detail. The Readme and the plugin were clearly vibe coded. Your Github account was created 2 weeks ago, and has committed code to one public project. You had no online presence before 4 days ago that I could find other than this account. When you made your post, all your details were hidden - which indicates a new poster. Suddenly your account says you’ve been here for 6 months. Your name seems to be a James Bond reference.
You seem to be trying to use the name of Pyxel, an open-source Python game engine. You have also copied the name of another project PyxelStudio.net, which appears to be a marketing platform for the same engine. (And not vibe-coded as it looks like something from the 90s.) Since you seem to have no online connection to either one, it appears you are trying to borrow legitimacy.
I do not think making a YouTube video is not going to fix your image problem.
Best case, you had good intentions and are just clueless. Worst case, you’re still trying to get people to download a malicious executable.
We live in the age of trust. For good or bad.
The add-ons don’t even necessarily have to be malicious as such, people making projects without sufficient knowledge and relying on LLMs can cause enough damage just by sheer ignorance and bad code
It’s fully possible for a Godot addon to delete thee root directory or C: with relatively minimal steps of messing up
Your attitude of demanding help after you got called out is poor form. We are all volunteers. We don’t owe you anything.
Only understood the first few lines, that’s some nasty sneeky thing LOL.
Sadly that’s why new users need to be careful. Even some advanced users might not know what that is, since you don’t normally need to do something like this during development.
But of course, it’s probably not worth spreading malware using Godot. It’s a small userbase relative to other attack vectors, and MOST people who want to make games already know enough about computers not to fall for obvious scams or tricks.
A malicious addon could also do damage by stealing sensitive information from your computer, including extremely sensitive things like signing or encryption keys, login information for various places, etc., it doesn’t need anything to extract all the data that Godot has access to
Also, to be clear something is not free and open source software (FOSS) if only part of the code is open for review.