Pidgin Users Beware! Malicious Plugin Discovered with Keylogger
In a recent and alarming development, the popular messaging client Pidgin has removed a third-party plugin, “ss-otr,” from its plugin list after it was discovered to contain a malicious keylogger. The plugin, which was added to Pidgin’s third-party plugins list on July 6th, was flagged by a user, 0xFFFC0000, on August 16th, who reported suspicious behavior, including the unauthorized capture and sharing of screenshots.
The Pidgin team acted swiftly, pulling the plugin from the list and launching a thorough investigation. On August 22nd, cybersecurity expert Johnny Xmas confirmed that the plugin was indeed equipped with a keylogger, a tool used to secretly record every keystroke made by a user, potentially exposing sensitive information such as passwords and private messages.
This discovery has raised significant concerns within the Pidgin community, as the plugin was available for over a month before its true nature was uncovered. The Pidgin team has strongly advised all users who installed the “ss-otr” plugin to uninstall it immediately to prevent further compromise.
In response to this breach, Pidgin has announced a new policy to strengthen the security of its ecosystem. Moving forward, all third-party plugins linked on Pidgin’s site must adhere to an OSI Approved Open Source License, and the Pidgin team will enforce a higher level of due diligence to ensure the safety and integrity of all plugins.