Something about malicious .unitypackage?
-
I suddenly remember this issue that happen some years ago, trying to find the answer but no luck but i found this post https://twitter.com/KinamiVR/status/1449369921335570437?lang=en
How do we check for malicious scripts? -
GitHub - FACS01-01/Safe_Import: Unity script that protects you from running malicious scripts on import
Unity script that protects you from running malicious scripts on import - FACS01-01/Safe_Import
GitHub (github.com)
You can use something like this
-
is it still a thing ? I mean I don't think creators are willing to cross that bridge now or back then. Imagine you make an avatar that sells somewhat good you make let say 1k-8k from that avatar and you then add the "protection" script and people find out. You get sued for doing illegal thing you have to pay a minimum 100k or time in jail. They will lose money anyway. People sued big companies and big gaming companies. What's stopping them from suing an avatar "Creator" and I'm sure Vrchat is not safe from a lawsuit as well or even heck... unity itself. Maybe I'm just blowing smoke here or I'm over thinking it. Yet I would still use the file that @Finn posted just to be on the safe side. It's 2024! I'm not taking chances anymore
-
@Magic69 There are several instances where Avatar creators or people uploading to VRModels did that. I got once a unitypackage which nuked my entire unity project. Not that common but rather stay safe and don't import random dll files into unity etc...
Contact me for support and more (lookup my Linktree, I'm slower to answer DMs here). Uptime monitor of my files: https://stats.uptimerobot.com/loRANfO67n If a link is down without an outage please contact me asap. If you’d like to post something anonymously (/on my behalf), simply send me a direct message, and I’ll handle it for you.
-
Do you remember which unitypackage that nuked your entire project?
-
I remember something like this happening years ago pretty well actually, it was some weirdo running a site called sanctuary(dot)moe (defunct now), they were running their own vrc asset share site where they shared all the items themselves (or stole them from vrmodels) as a means to infect people with Remote Access Trojans and steal accounts under the guise of being "Anti-Piracy" I remember they had a fake company that was named either Akisoba or something similar and they used a frontman (probably had some leverage on them) for the "company" to obfuscate their identity (did not work.), they didn't get consent from the avatar creators they reuploaded work and they even had their names listed on the old website as if they were business partners which pissed them off something fierce (imagine being implicated in what is essentially a botnet over stolen models), and their first ever use of this "Anti-Piracy Tool" was to steal an ex partner's account using a hacked DPS, it devolved very fucking quickly, people found out who was behind it and legal shit starting to get drafted by AV creators who were pissed over their names being smeared and products being stolen, it was a huge shitshow, they nuked their "Business Discord server" (lol.) several times and vowed to come back, still honestly the funniest skid shit I've seen, some real fuck around and find out level stuff.
-
Actually found some records of it if anyone is interested:
https://twitter.com/kazusan85/status/1495133931435216896 -
@TomCom1995
Got more record of this? -
I used to be in a discord talking about it made by one of the people in the twitter thread but i've long since left, sorry,
"what is a signature?"
-
@TomCom1995
that's alright, i dug up more info about the incident, that was wild though
