There was a malicious addon on our repo that installed a coin miner on some systems. This was NOT caused by the Gaia addon, but another dependency addon that was located in the common directory of our repo. In this directory we keep a bunch of third-party addons that are directly or indirectly needed by Gaia (or its dependencies). Only Windows and Linux systems are affected. The mentioned addon hasn't been in our repo since April.
Although this was not our addon, it is my duty as the main dev to make sure that everything on our repo is clean. A job that I clearly haven't done well. I therefore apologies to the community for not being diligent and I take full responsibility for this.
Where did it come from?
Not entirely sure. But this has been around since Bubbles. We forked the project from Bubbles back in Nov/Dec 2017. This was already present in Bubbles and when forking it, the malicious addon was also copied over. This might have been added by Bubbles unintentionally, or he might have put it there intentionally as a final goodbye. We also gave Bubbles access to our repo to help with the forking and the first releases. I don't think I changed the password of the repo, and he might have had access to the repo for a while. I have changed the password now (see further details below).
Am I affected?
Only Windows and Linux machines are affected, Mac and Android users should be fine. The malicious addon hasn't been in our repo anymore since 5 months ago. To ensure that your system is clean, do the following:
1. Uninstall the "script.module.python.requests" addon by going to Kodi Settings -> Systems -> Add-ons -> Manage dependencies -> Python Requests -> Uninstall. If you don't have this addon, you should be fine. If you cannot uninstall this addon, downgrade "script.module.simplejson" to version 3.4.0 and try uninstalling it again.
2. Uninstall Gaia repo 1, 2, and 3. Install our new "Gaia Repo" from GitHub (https://github.com/gaiaorigin/gaiaorigin). We now only have 1 repo, without any number at the end.
3. Uninstall any old Bubbles stuff if you haven't done so already.
4. Scan your machine with ESET (https://www.eset.com). On Windows you can use the ESET Free Online Scanner, and on Linux the free trial of ESET NOD32 Antivirus for Linux Desktop. Existing ESET customers are protected automatically.
5. Update to the latest Gaia version 3.2.2.
What steps have you take?
To make sure this does not happen again, I did the following;
1. Every other dev was kicked of the repo. Currently only I have access to it.
2. All new commits from other devs will now go through me. I will verify them before adding them to the repo. This means that updates will be released a bit slower, due to the additional auditing phase.
3. I will make sure that all third-party addons are thoroughly investigated before adding them to our repo.
4. I have removed the common directory on our repo for now. Only 2 addons were dirty, but one can never be sure and I therefore removed all third-party addons as a precaution. I will now look at each of those addons (line by line) to make sure they are clean. Once they are audited, I will add them back to the repo. Since there are tens of thousands of lines of code in all those addons, this can take weeks. You will therefore not be able to install Gaia from our repo automatically, but you have to install all dependencies manually. The porting to Leia will also have to be moved out by 1 or 2 months while we get the repo back up – sorry to those that have been waiting for this a long time.
5. I've created a new clean repo. The old repo is still available under our GitHub account.
What happened to Gaia's repo in April?
Every now and then we update all the addons in the common directory. This was the case at the end of April. We added the Elementum all-in-one addon which is larger than 100MB (or at least was 104MB back in April). If you upload anything larger than 100MB to GitHub, the Git Large File Storage (LFS) kicks in, which limits the monthly bandwidth of the repo, and to get rid of it you have to upgrade to GitHub premium. Since we didn't want to pay for the repo, the only solution was to delete the repo and create a new one.
Was that why Gaia was so slow?
One of the oldest issues with Gaia was that menus loaded very slowly. The issue was fixed in Gaia version 3.2.0 (see "Way faster menu loading." in the changelog). This has nothing to do with the coin miner at all. The reason for menus loading so slow was that we imported ResolveURL in the top of our script. The moment you import ResolveURL, it checks all of its resolvers. This can take a while, especially on slow devices. This meant that every time you navigated to a sub-menu in Gaia, ResolveURL would be re-loaded in the background, slowing down Gaia. We moved the import statement just before it is actually required (that is, if you start playing something). T menus should now be super fast. Some menus (like new releases, etc), might still be slow, since the latest list has to be retrieved from Trakt/IMDb. We also added caching for those menus, and it will only slow the first time you open it.
If there are any Python and Kodi devs out there, we would appreciate you checking our repo every now and then. I will make sure that all new updates to the repo are audited, but it is always good to have a few extra eyes on it.
All new announcements about this topic can be found on our website (gaiakodi.con) and I will also update the Reddit post. More info and discussion about this are available here:
I have changed the password for the repo and locked out all other developers. I gave Bubbles access to the repo when we forked, but I can't remember if I changed the password. I also renamed the "common" directory. It should not be pulled from by Kodi anymore. Will investigate.
We are aware of the news that is making the rounds that there is a coin miner somewhere in our repo. We will look into this IMMEDTIATLY and keep you up to date on what is going on.
We are not yet sure where this originates from. Reports from Reddit and other sites indicate that one of the external addons in our "common" directory has some bad code in it. There are also a few other repos, including the XvBMC and the old Bubbles repo that are effected. As far as we can see this is still something left over Bubbles, but I'm not sure if that was added intentionally by him. From what we currently know, this addon is the culprit. If you have it installed, please remove it immediately:
We also recommend running and AntiVirus scan just to be double safe. ZDNet also states that this only affects Windows and Linux, so Android users should be fine. This addon is not a dependency of Gaia and is also currently not in our repo. I think it was removed at some point when we updated the "common" addons and couldn't find its dependency. The main repo should be fine, however, the backup repos (2 & 3) might still contain old stuff. We haven't used them in a while and I'm not even sure if they still work. For now, stay away from any old Bubbles stuff and backup repos. We will also update the main repository to exclude the "common" directory. We will investigate each of those dependency addons to see if there is something fishy. We will leave the files on the repo for public investigation, but we will make sure that they are not pulled by Kodi updates.
I truly apologies for something like this happening, and there is absolutely no excuse for this. I'm the lead developer on this project, amongst a team of other devs. For those of you who worked with me (and also interacted with me on our ticket system) know that I am always dedicated to bringing the best to the Kodi community. I'm therefore extremely sorry that something like this happened under my watch. I'm the leader of the team and it is my responsibility to check everything that is committed. I was also not diligent enough when forking the stuff from Bubbles. I also have to admit that I updated the addons under the "common" directory by looking for the latest version on Google, without inspecting them before adding them to our repo. I will now go line by line through all those addons to make sure that they are not doing anything weird.
Just to reiterate again, the current Gaia addon and our Repo 1 are NOT affected by this, but you should get rid of:
All old Bubbles stuff
Gaia repo 2 & 3 to be safe, there might be old Bubbles stuff in here
I will add all further announcements to our website as well, in case you want to completely uninstall Gaia and wait for news. I have a night shift that starts in a few hours, but I will get on this immediately afterwards. If you have any clues that can help in the investigation, please submit a ticket to our website, or use the email address at the bottom if you do not want to create an account on their.