GHSA-w687-f44x-x42j false positive?

[cgauld]

We received a dependabot alert about this advisory: https://github.com/advisories/GHSA-w687-f44x-x42j

It's very strange, because this isn't an NPM package - it's a built-in element of the Unity game engine and is referenced from their "package.json" manifest files (not related to NPM).

Are there any more details about this advisory and if it is indeed an issue with Unity packages?

Thanks for any insight!

[ViMaSter]

I suppose this might be related: https://www.npmjs.com/package/com.unity.modules.audio

If I had to hazard a guess, someone uploaded an infected package to npm with the exact same name of the package from upm (Unity Package Manager) in an attempt to accidentally have someone download from npm rather than upm. Since Unity borrowed most of the syntax (including package.json), I guess there's no way for GitHub to know whether the npm or upm package is actually referenced.

However, I agree; additional clarification or confirmation on this would be greatly appreciated.

---

Edit: This seems to not be limited to just one unity-related advisory:

• GHSA-v47x-cp4q-m8v7 (com.unity.collab-proxy)
• GHSA-r7fv-fm93-j23p (com.unity.modules.umbra)
• GHSA-jw2f-pjqp-6fjg (com.unity.modules.vehicles)
• GHSA-9r8v-x7c9-gx9r (com.unity.modules.wind)
• GHSA-qw53-6pfc-59hw (com.unity.modules.ai)
• GHSA-c7vm-c237-53rp (com.unity.modules.screencapture)
• GHSA-vpcm-jjhp-6jjg (com.unity.modules.video)
• GHSA-mmmm-qw9x-6r43 (com.unity.modules.tilemap)
• GHSA-ccg6-ww3f-c39h (com.unity.modules.ui)
• GHSA-2m3x-43c8-4fc3 (com.unity.modules.assetbundle)
• GHSA-7prf-hjc6-4wqj (com.unity.modules.imageconversion)
• GHSA-6jjr-cfhq-2rc7 (com.unity.modules.director)
• GHSA-xwg9-w3x2-fmf7 (com.unity.modules.particlesystem)
• GHSA-9522-2wvg-j4pc (com.unity.modules.physics2d)
• GHSA-pm97-j6q8-376p (com.unity.modules.physics)
• GHSA-3j79-m5q3-qqpr (com.unity.modules.audio)
• GHSA-wrpw-j92r-vrvq (com.unity.modules.uielements)
• GHSA-qqqx-23r5-prvc (com.unity.modules.animation)
• GHSA-cvgg-5542-9692 (com.unity.textmeshpro)

[LegoCylon]

Post processing got flagged, too. https://github.com/advisories/GHSA-3x2r-7cgg-82q2 (com.unity.postprocessing)

[cgtinker]

com.unity.modules.physics GHSA-pm97-j6q8-376p got flagged swell

Is any action required when everything has been loaded via unity hub / unity package manager? ...Just read some articles and there have been npm malware injections in the past (within unity). This is concerning, it would be nice to know either how long the malware npm was downloadable or how to find out if the system is compromised.

[brunohstein]

Guess it's a similar issue here? https://github.com/advisories/GHSA-fw55-8gwc-gf65

Have the first one installed but got a dependabot alert about the second one.

[jordan-zilch]

Do Unity packages ever auto-update? It looks like the malicious com.unity.textmeshpro (GHSA-cvgg-5542-9692) was only published 10 months ago, so I'm assuming that I'm safe since I haven't opened my Unity project file since then.

[darakian]

Apologies for the late reply on this thread, but for clarity what's happening is that malware is being uploaded to npm. These advisories are for the packages on npm and not for the unity packages. We have a known issue with dependabot where unity package.json files are being interpreted as npm files. I can't comment on a timeline, but we're aware of the issue and working toward a fix.

We suspect the malware is being uploaded to npm to squat the unity package names in the hopes that users also mix up npm and unity package.json files.

See also: https://github.com/github/advisory-database/issues/516

[darakian]

Hey all 👋

Quick update on this. I'm gonna close this issue out as we have just recently merged in a fix for this issue. If you see more erroneous alerts please feel free to reopen this issue or to make a new one 👍