Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
That's not done in the browser, malware is hidden in the Ubuntu download (but that's a rather amateurish work, image was not compromised, malware was distributed as .exe file next to it).
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
The whole supply chain, in fact. The project's site isn't necessarily the real one. the GitHub repo it links to isn't necessarily the real one, the binaries it offers to download aren't necessarily the real one, GitHub isn't even necessarily the real one! There's currently a phishing copy of GitHub up at hxxps://git.hubp.de/ that somebody is going to fall for before it's taken down. If you want to be help get it blocked, load that site up and flag it as unsafe in Chrome! (It's hilarious that the site has a Cloudflare challenge to get in, btw.)
It's a big bad dark scary Internet out there. Be careful.
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
Okay, they're not getting paid. That's worse! This gives them an incentive to be the one to inject malware to steal bitcoins because they haven't been compensated for all their hard work.
So, of course, you stay far, far away from any open source software and their maintainders, since many/most of them don't get paid and are obviously nothing but one giant perverse incentive. Never use them right? Because we wouldn't want to think you're just a hypocrite dog-piling on someones bad day.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
It is an official flavor[1], that is, maintained as a community effort, but endorsed by Ubuntu. The related packages are hosted in Ubuntu's universe repository[2]. There is indeed a risk of reputation damage.
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
> Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist.
If my options are between a barely maintained linux operating system which might compromise my data and a barely maintained windows operating system that is designed to compromise my data I'll take my chances with linux. At this point no one can be assured of their safety and all anyone can do is choose the lesser evil and hope for the best.
It's a stretch to call Windows a "barely maintained operating systems". Windows probably has more paid contributors to the Start menu than Ubuntu has total employees. The Windows software is generally rock solid, if frequently spammy (which an advanced Windows user can mostly fix in 30 minutes, especially in Europe).
Not a great day to try to argue how well maintained and "rock solid" windows is considering the issues it's having (see https://www.techpowerup.com/342032/windows-11-25h2-october-u...) not to mention all the other updates that've caused data loss or broken things and that's just windows 11! Just paying a bunch of people to push out updates isn't enough for a well maintained OS.
And yet that "binary blob browser fork/OS uploaded by an anonymous guy from the internet" is still more respectful to my privacy, than the average large proprietary OS. Guess which one I will be using?
> which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
> It's just not part of their world takeover plan anymore
That's because they don't have a world takeover plan anymore. That plan failed, so they came up with other ones (mobile! Subscriptions!) and those failed too - so now they're just trying to survive.
I honestly prefer for Ubuntu to be just another Linux player doing what most Linux players do (i.e. looking after n.1 and focusing on internal consistency), rather than their original borg-like form that tried to co-opt the entire ecosystem. As much as I enjoy a reliable Debian-like infrastructure everywhere, there is value in the fundamental diversity of distros focused on different ways to "do Linux".
On the other hand, there are far few developers working on XFCE compared to desktop environments like KDE or gnome. The more obscure places might be better places to hide malware, nobody would notice, unlike in XUbuntu.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
Nobody has yet identified any malicious code in the repository.
How do you prove that the person hacking the website is not an associate of (or the same as) the person running the website?
If this were proprietary software then the software would be expected to die. Since this is open source, there is the option for the original project to die and for a fork to rise form the ashes.
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
TLS uses message authentication codes which should detect tampering or bit errors. In theory, a cosmic ray could hit the RAM of the device on the receiving end and bit flip after the ISO has been decrypted but still in RAM. Checksumming does not rule bit flips out though as you could checksum the ISO and the bitflip happens between then and when the ISO is actually used to install the system.
Maybe in theory you could checksum the post installed filesystem, but Im not sure if any distros actually do that or not and it would require deterministic install layouts.
It can fail mid-way of course, but it really shouldn't corrupt in any other way. HTTPS is authenticated after all and malicious manipulation is harder to defend against than accidental corruption. But this is reality and you can have bugs and errors outside the transport of course. Your file system could corrupt data, your drive could be bad etc.
For security you want signatures with a known, trusted key.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
that website, although unofficial, looks to be one of the many sites online that stuffs a bunch of ads on a wordpress template and links straight to the official download links after a long-winded AI article about the software
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
If you do your cryptocurrency stuff on a laptop/desktop you're probably already in the minority, most of the world only has a smartphone and will use that. If you have two computers you're in a tiny minority. If you can dedicate one computer to just doing cryptocurrency stuff you're now in a fraction of a fraction of a percent.
Never underestimated the impact of convenience. At the same time, I'm so broke that any attackers could just look at my mostly empty wallet and weep (or do automated attacks and extract what little there is in the case of compromise).
This should lead to better checksum verification mechanism, because if you compromise the site, you can put whatever compromised checksum as well. I think having a centralized checksum verification system for all major (or all) distributions would be a good start.
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
Thanks for this, I was resorting to creating a PWA on old reddit (which has horrible ergonomics for mobile) per subreddit (you can't rename them so I remember which is which by position) thinking all the reddit clients that don't require login are gone.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
I’ve noticed that even on VPNs, US exit points sometimes block archive.is. Not sure if that is DNS related or what. Non-US VPN exit points don’t seem to be blocked at those times that the site navigation fails on US ones.
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
More info about the archive.is|.today mirrors including the Tor (.onion) version of the site are on the Wikipedia entry for the site:
I mean that the page doesn’t even begin to load. I get early and often Google reCAPTCHAs on archive.is and its mirrors under normal operation over HTTPS/Tor, but I was referring to the site not loading in at all, and getting some kind of PTR/SSL error iirc when it happens, which is most/all of the time when using US VPN exit points over HTTP(S). I don’t experience these errors at all over Tor, because their Tor site doesn’t use certificates. I run HTTPS-only mode in the clearnet, so perhaps others don’t experience this issue on their machine(s), but I don’t want any kind of MITM and/or downgrade attacks to slip through the cracks, just in case.
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
"Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us"
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Official, popular, longstanding (20 years!) Linux distro is clearly distributing "a virus" via an official repo, with nothing about the danger on its website?
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
We should really compare it to Windows here, since that's the target. But if we do compare it to a classic Linux dist like xubuntu as baseline:
Using Qubes would limit the blast radius for a scenario like this. In QubesOS, you would use disposable VMs (with no access to your crypto wallets or other user files) to download and flash an ISO. So even if this malware was targeting Linux, it wouldn't get zit and disappear when you finish flashing and shut down that VM (as long as there isn't an unpatched exploit breaking the VM isolation involved).
Of course, if the ISO is bad then this won't save you from compromise once you boot it. But that's not what happened here.
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
the malware's main function seems to be to check the clipboard for crypto wallet addresses and then replace them with attacker addresses:
can't guarantee it doesn't do anything else.Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
Here is the BTC and ETH address for convenience for anyone who wants to check: https://mempool.space/address/bc1qrzh7d0yy8c3arqxc23twkjujxx... https://etherscan.io/address/0x10A8B2e2790879FFCdE514DdE615b...
They are empty as of now.
I just checked all wallets, they're all empty with no recent transactions.
Do browsers still let websites read the clipboard?
Not without approval, see https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_A... or https://web.dev/articles/async-clipboard#security_and_permis.... But that is not relevant here.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
That's not done in the browser, malware is hidden in the Ubuntu download (but that's a rather amateurish work, image was not compromised, malware was distributed as .exe file next to it).
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
Let's all thank Bitcoin for making supply chain compromises worth anonymous money transfers.
The whole supply chain, in fact. The project's site isn't necessarily the real one. the GitHub repo it links to isn't necessarily the real one, the binaries it offers to download aren't necessarily the real one, GitHub isn't even necessarily the real one! There's currently a phishing copy of GitHub up at hxxps://git.hubp.de/ that somebody is going to fall for before it's taken down. If you want to be help get it blocked, load that site up and flag it as unsafe in Chrome! (It's hilarious that the site has a Cloudflare challenge to get in, btw.)
It's a big bad dark scary Internet out there. Be careful.
There's a sticked comment on the source thread: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
I used to be responsible for the Xubuntu.org website, way back when. I was a teenager back then.
Which is to say, I'm fairly sure that they're still just a volunteer community member.
Okay, they're not getting paid. That's worse! This gives them an incentive to be the one to inject malware to steal bitcoins because they haven't been compensated for all their hard work.
I think you might be in for a shock when you learn how many Xubuntu-sized projects rely on unpaid volunteers.
So, of course, you stay far, far away from any open source software and their maintainders, since many/most of them don't get paid and are obviously nothing but one giant perverse incentive. Never use them right? Because we wouldn't want to think you're just a hypocrite dog-piling on someones bad day.
lol l live on the edge and run curl | sudo bash and just hope and pray that it doesn't steal my crypto
To what extent is Xubuntu affiliated with Ubuntu?
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
It is an official flavor[1], that is, maintained as a community effort, but endorsed by Ubuntu. The related packages are hosted in Ubuntu's universe repository[2]. There is indeed a risk of reputation damage.
1. https://ubuntu.com/desktop/flavors
2. https://packages.ubuntu.com/search?keywords=xubuntu-desktop
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
> Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist.
If my options are between a barely maintained linux operating system which might compromise my data and a barely maintained windows operating system that is designed to compromise my data I'll take my chances with linux. At this point no one can be assured of their safety and all anyone can do is choose the lesser evil and hope for the best.
It's a stretch to call Windows a "barely maintained operating systems". Windows probably has more paid contributors to the Start menu than Ubuntu has total employees. The Windows software is generally rock solid, if frequently spammy (which an advanced Windows user can mostly fix in 30 minutes, especially in Europe).
>It's a stretch to call Windows a "barely maintained operating systems".
Looking at the intentional degradation since Win7, I'd call it a "barely and maliciously maintained operating system".
Not a great day to try to argue how well maintained and "rock solid" windows is considering the issues it's having (see https://www.techpowerup.com/342032/windows-11-25h2-october-u...) not to mention all the other updates that've caused data loss or broken things and that's just windows 11! Just paying a bunch of people to push out updates isn't enough for a well maintained OS.
> The Windows software is generally rock solid
You're saying this literally a few days after Microsoft pushed out a Win11 update that broke localhost.
And yet that "binary blob browser fork/OS uploaded by an anonymous guy from the internet" is still more respectful to my privacy, than the average large proprietary OS. Guess which one I will be using?
That problem runs far beyond distros, of course. Enter relevant xkcd.
(This one, for today's lucky 10 000: https://xkcd.com/2347/)
Yeah totally. Hey we got hacked but we're just couple guys donating our time.. put that on your homepage.
> which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
> It's just not part of their world takeover plan anymore
That's because they don't have a world takeover plan anymore. That plan failed, so they came up with other ones (mobile! Subscriptions!) and those failed too - so now they're just trying to survive.
I honestly prefer for Ubuntu to be just another Linux player doing what most Linux players do (i.e. looking after n.1 and focusing on internal consistency), rather than their original borg-like form that tried to co-opt the entire ecosystem. As much as I enjoy a reliable Debian-like infrastructure everywhere, there is value in the fundamental diversity of distros focused on different ways to "do Linux".
On the other hand, there are far few developers working on XFCE compared to desktop environments like KDE or gnome. The more obscure places might be better places to hide malware, nobody would notice, unlike in XUbuntu.
> looks like there was a bit of a slip-up
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
Either way, nobody should use this distro ever again. It should be forked from a known good commit under a new maintainer.
Nobody injected any malicious code into the repository. This is a website being hacked. As you certainly know, after reading TFA.
Nobody has yet identified any malicious code in the repository.
How do you prove that the person hacking the website is not an associate of (or the same as) the person running the website?
If this were proprietary software then the software would be expected to die. Since this is open source, there is the option for the original project to die and for a fork to rise form the ashes.
Mistakes were made!
I heard tings
Calling this "a bit of a slip-up" while neither confirming nor denying the presence of malware is weird at best and incredibly suspicious at worst.
perhaps the attacker has compromised maintainer credentials / logins?
I ran the checksum for the current ISO file of the full Xubuntu desktop version on the Xubuntu website, and the checksum appears to be valid.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
> opened the .exe with file-roller
... This is a thing?
Yes, an exe is just some glorified container format.
don't know about file roller but you can do this in 7-zip to peek at self-extracting archives
And where did you get the reference SHA256SUMS from ? Did you check the gpg signature on them against a good sig from somewhere?
According to the SHA256SUMS from Canonical's official download page at https://cdimage.ubuntu.com/xubuntu/releases/24.04.3/release/ that is the correct checksum.
Good Point. The checksums posted on Xubuntu.org could also compromised.
I downloaded the checksums and the ISO image from the Xubuntu website: https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
how does one know any signature they find is "good"?
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
If you're using a Debian derivative these keys should be in packages distributed with your distro with trust coming from that
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Mirrors.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
> In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing.
Is there no way a download over HTTPS can be corrupted non-maliciously, or can fail to complete?
TLS uses message authentication codes which should detect tampering or bit errors. In theory, a cosmic ray could hit the RAM of the device on the receiving end and bit flip after the ISO has been decrypted but still in RAM. Checksumming does not rule bit flips out though as you could checksum the ISO and the bitflip happens between then and when the ISO is actually used to install the system.
Maybe in theory you could checksum the post installed filesystem, but Im not sure if any distros actually do that or not and it would require deterministic install layouts.
It can fail mid-way of course, but it really shouldn't corrupt in any other way. HTTPS is authenticated after all and malicious manipulation is harder to defend against than accidental corruption. But this is reality and you can have bugs and errors outside the transport of course. Your file system could corrupt data, your drive could be bad etc.
For security you want signatures with a known, trusted key.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
that website, although unofficial, looks to be one of the many sites online that stuffs a bunch of ads on a wordpress template and links straight to the official download links after a long-winded AI article about the software
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
if you use ublock origin you should be OK, it warns you when you try to access lubuntu.net
Indeed:
uBO has prevented the following page from loading:
"FAKElubuntu.net I wont give backlinks too"
The page was blocked because of a matching filter in uBlock filters – Badware risks.
What is it triggered by?
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
the "badware risks" filter list
oddly, the one "sus" thing flagged -- a " (C) 2026 " late in 2025 -- is consistent with practices of established book publishers.
I recall purchasing a textbook in September of year X and being surprised that it was "from the future" with a "Copyright X+1".
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
If you do your cryptocurrency stuff on a laptop/desktop you're probably already in the minority, most of the world only has a smartphone and will use that. If you have two computers you're in a tiny minority. If you can dedicate one computer to just doing cryptocurrency stuff you're now in a fraction of a fraction of a percent.
Never underestimated the impact of convenience. At the same time, I'm so broke that any attackers could just look at my mostly empty wallet and weep (or do automated attacks and extract what little there is in the case of compromise).
This should lead to better checksum verification mechanism, because if you compromise the site, you can put whatever compromised checksum as well. I think having a centralized checksum verification system for all major (or all) distributions would be a good start.
fortunately, in this case, it seems like the malware may be moot if you use the iso to wipe your windows installation...
But if you just try the live ISO and go back to your Windows without installing, you're infected? Seems like someone wants users to switch to Linux :P
Red Pill Linux
https://web.archive.org/web/20251019143921/https://old.reddi...
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
My solution is just to uninstall the app
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
I had the same idea about the britcard - why doesn't the government just buy the information from the ad brokers?
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
Would definitely recommend.
Thanks for this, I was resorting to creating a PWA on old reddit (which has horrible ergonomics for mobile) per subreddit (you can't rename them so I remember which is which by position) thinking all the reddit clients that don't require login are gone.
Try pressing on the original link and opening it in another tab, that usually bypasses opening the app for me.
For the moment "yesterday for old reddit" on firefox android works quite well.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
I’ve noticed that even on VPNs, US exit points sometimes block archive.is. Not sure if that is DNS related or what. Non-US VPN exit points don’t seem to be blocked at those times that the site navigation fails on US ones.
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
More info about the archive.is|.today mirrors including the Tor (.onion) version of the site are on the Wikipedia entry for the site:
https://en.wikipedia.org/wiki/Archive.today
> archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion
Can you define "block" ? The archive.is owner do a lot of fake blocking behaviour if they don't like your IP , if you try to use an anonymizer
I mean that the page doesn’t even begin to load. I get early and often Google reCAPTCHAs on archive.is and its mirrors under normal operation over HTTPS/Tor, but I was referring to the site not loading in at all, and getting some kind of PTR/SSL error iirc when it happens, which is most/all of the time when using US VPN exit points over HTTP(S). I don’t experience these errors at all over Tor, because their Tor site doesn’t use certificates. I run HTTPS-only mode in the clearnet, so perhaps others don’t experience this issue on their machine(s), but I don’t want any kind of MITM and/or downgrade attacks to slip through the cracks, just in case.
More info about NextDNS (AS34939), which is indeed operated in a US jurisdiction:
https://bgp.tools/as/34939
Somebody did sneak a wayland compositor for xfce???
:P
Well actually...
https://wiki.xfce.org/releng/wayland_roadmap
Let's not kid ourselves. A state level actor who is playing the long game can compromise any distro, package, etc. without us knowing about it.
That kind of defeatism isn’t helpful.
The present case also just seems malware easily detected by VirusTotal: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
Look at all the mainstream scanners that failed to detect it!
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
That’s pretty normal in my experience. That’s why you check with VirusTotal instead of a single “mainstream” scanner.
Sticking-your-head-in-the-sand-ism isn't helpful either.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
> why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system?
tqdm is pure Python and available as a wheel. Or is this a general complaint about sandboxing others' code at runtime?
General complaint. Has nothing to do with tqdm.
What's the term for the fallacy that this problem can be ignored because that problem is so much worse?
Sorry, patient, why are we talking about setting your broken arm when you are genetically predisposed to cancer that's going to kill you anyway?
It is the "fallacy of relative privation", for the record.
Nobody said the problem could be ignored ...
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
As Stuxnet showed us, you don't need to run a nuclear program to be infected by malware developed by state level actors.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
How would you know?
Don't most of us know what's in our threat model?
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
"Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us"
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Which state actor? Not all pigs are equal.
Your comment reflects that truth.
"Linux doesn't get viruses"
Since Xubuntu inception a decade ago, facts certainly have changed!
Well, the virus in this case is a Windows executable targeted at Windows users trying to download Linux...
Official, popular, longstanding (20 years!) Linux distro is clearly distributing "a virus" via an official repo, with nothing about the danger on its website?
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
A regrettable sign of Linux success
That is why I use Qubes OS [1] in order to have a certain peace of mind.
[1] https://www.qubes-os.org/
EDIT: further comment below:
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
[2] https://doc.qubes-os.org/en/latest/project-security/verifyin...
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
qubes is just as vulnerable as xubuntu in this case (poor website security) no?
We should really compare it to Windows here, since that's the target. But if we do compare it to a classic Linux dist like xubuntu as baseline:
Using Qubes would limit the blast radius for a scenario like this. In QubesOS, you would use disposable VMs (with no access to your crypto wallets or other user files) to download and flash an ISO. So even if this malware was targeting Linux, it wouldn't get zit and disappear when you finish flashing and shut down that VM (as long as there isn't an unpatched exploit breaking the VM isolation involved).
Of course, if the ISO is bad then this won't save you from compromise once you boot it. But that's not what happened here.
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
But aren't you still trusting the website for instructions about how to verify the cryptographic signatures?
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
It's a standard procedure that could be learned in many other ways.
Check a history on archive.org and validate the checksum wasnt changed to be the potentially malicious iso?
Its not perfect... but its better than nothing.
so.. same a linux mint / xubuntu?