Users on reddit reporting that the 3rd party script sent your Private Key to an API endpoint. People are reporting that XCH have also gone missing.
Unfortunately, this means your best course of action to protect yourself is to transfer any XCH into another wallet, clean install your OS (who knows what else the script has done), and re-plot…
Reddit thread: https://www.reddit.com/r/chia/comments/nl94th/psa_potential_security_breach_for_end_users_who/
hmmm good reminder to be careful with 3rd party programs.
Also agree with some comments there, that if the Chia GUI actually had a good plot scheduler, ppl wouldn’t want/need to go 3rd party.
Wow, that is crazy. Sounds like nightmare scenario. The github for that script is now gone. He is probably taking coin as fast as he can before people realize what is up.
I use 3 third party scripts (all on github)
- Chiadog (martomi/chiadog) - to alert me of my farming issues.
- Swar’s plot manager (swar/Swar-Chia-Plot-Manager) - plot management
- PSChiaPlotter (mrpig91/PSChiaPlotter) - to show me the time breakdown of the phases.
I think these are pretty common and widely used. I do hope that Chia adds more functionality in their GUI or creates some accompanying software that would do more. I’m sure there will be actual third party software released someday that does a lot of this and we won’t have to rely on these types of scripts.
Also, it would really help once applications/devices like Ledger would add Chia support.
If Swar ends up having some sort of malware, I think Chia as a project is done for lol. That would be a widespread catastrophe fingers crossed that’s not the case and the community is actually reviewing the git repo
The scary thing about this developer is the fact that he was “assisting” people via Discord, getting them to install the script to deal with sync problems. Who knows how many people are affected and don’t know yet.
It is sounds now like a good idea to run clean installed node to farm and make plotting rig physically offline
Yep, thats pretty bad.
I’m a maintainer of a “3rd Party” repo aswell (Ploto, a PowerShell plot manager).
Its disgusting to see that one simple line of merely obfuscated code (aliases are bad), robs so many wallets. And even the private keys…
A good reminder you should check your fellow tools before using them. Line by line.
Never trust, always verify is the leading principle.
Especially if you run scripts on machines that have your private keys.
And what about setting xch_target_address to cold wallet?
At this point I feel like it’s even safer to keep my XCH at a random exchange. All those incoming 8444 connections etc. Who knows if and when a vulnerability will be found…
If you’re a cleaner and see an abnormal amount of HDD’s in a house you could just enter the GUI and send some to your own wallet. Or if the PC is protected just take the whole PC and deal with it later.
Yes now that you mention it, there isn’t even a password or something needed to do transections from the GUI wallet right?