Audacity, the free, open source multitrack digital audio workstation (DAW) that’s at the center of many podcasters’ workflows, was briefly transmitting malware via its downloadable installer for Windows earlier this week. From the Audacity team:
For about 3 hours on August 2nd 2016 our download server was serving a hacked copy of Audacity that contained malware. This was due to hackers obtaining the password of one of our developers and using it to upload the malware.
We have now replaced the 2.1.2 hacked windows installer and disabled that hacked account on FossHub.com – We are taking the incident very seriously indeed. We are working hard, in collaboration with FossHub.com, to do what we can to help prevent such an incident in future. In many ways Audacity is a soft target for hackers – and attractive as a target because of the large number of downloads.
The malware was limited to the Windows installer for Audacity. It had no impact on either the Mac or Linux versions of the software. The nature of the attack was outlined by FossHub, the website where the infected software was being hosted:
The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.
They targeted the largest projects listed on FossHub: Audacity and Classic Shell. We reacted promptly for Audacity installer but for Classic Shell, several hundred users were able to download the malware infected version.
We have been in contact with Google, PNAP and other providers.
Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage.
If you have downloaded and/or installed Audacity 2.1.2 for Windows this week, it’s strongly recommended that you remove all of those files and re-download the current, non-infected installer and reinstall the program.