Be very careful when opening shared Obsidian vaults
There was a report on HN of an Obsidian plugin that was abused to deploy a remote access trojan. I removed the link to this report since my post was automatically deleted.
Simple breakdown of the attack discussed:
Someone contacts you on LinkedIn or Telegram (often pretending to be an investor) and asks to collaborate by sharing an Obsidian vault with you. When you open a new vault, Obsidian starts in Restricted Mode. This is a security feature that prevents third-party plugins from running. The attacker will try to trick you into turning this mode off to "enable collaboration features."
The attackers have already placed modified, malicious versions of popular plugins (like Shell Commands) inside the hidden .obsidian folder of that Vault. he moment you click "Turn off Restricted Mode," these plugins automatically run. They execute a script that downloads the PHANTOMPULSE RAT (a tool that gives them remote control of your computer).
This malware is "fileless," meaning it lives in your computer's memory rather than on the hard drive. This makes it very hard for standard antivirus software to detect.
Moral of the story: be extremely vigilant when opening external vaults. This may sound like common sense, but recently I've seen several people in this sub asking for "example vaults".
With increasing usage of Obsidian and people looking for tutorial/example vaults, I think it's good to stay vigilant. Trusting a vault from an unknown author can infect your PC with malware.
Edit: I forgot to mention that kepano already responded in the HN thread and announced that "there is a major update coming soon for plugin security.", so rest assured this is on the radar of the team.