PolyMc Takeover

README.md

(Rough) Timeline of Events

• Lenny removes code of conduct

  • did it "reclaim polymc from the leftoids"

• Lenny allows people to ping @everyone in discord

• Lenny bans Maintainers from discord

• Lenny removes all other maintainers from GitHub

• The maintainers start their own discord

  • Start sending invite in PolyMc discord

• It is confirmed that this was not an account compromise, Lenny just went rogue

  • signed messages with pgp keys
  • github and discord have mfa

• Word spreads, everyone starts to send announcements

  • Announcement from the Terra devs blows up on twitter - https://twitter.com/kingbdogz/status/1582124211673628672 - https://twitter.com/HelenAngel/status/1582121115153207296

More of statements of facts, idk when they happened:

• Matrix rooms locked
• People spam
  • github
    • https://images-ext-2.discordapp.net/external/wK4re29y_sHFO73T8_8btcsOzuR2vYQWVNDcQHmWWtg/https/oh.why-am-i-he.re/5KAK6n9_V.png
  • discord
• Lenny calls for contributors
  • https://media.discordapp.net/attachments/1031648381514289175/1031668420426608790/unknown.png
  • https://media.discordapp.net/attachments/1031648381514289175/1031667285603123250/unknown.png
  • 4:37 pm EST
• Discord / Matrix are on lockdown, nobody can talk
  • https://i.imgur.com/VcNFTBr.png

Security Issues

• Didn't know if Lenny was hacked
  • Maintainers couldn't contact Lenny outside of discord
    • They couldn't confirm he was hacked and work with his to ensure nothing else was compromised
  • Lesson: they had no real lines of communication outside of discord
• Lenny controlled everything
  • things he owns
    • website
      • where most people download/update poly
      • metadata server, even if people don't update poly, could still attack people via this
      • None of the maintainers were admins
    • GitHub
      • only Lenny had owned
    • Discord
      • main way the maintainers communicated with the public
    • Matrix
      • (probably owned by Lenny?)
    • packages
      • aur
        • (only some packages controlled by Lenny)
      • Centos / RHEL
      • Fedora (isn't this just RHEL?)
      • Nix
      • openSUSE
      • Void
    • Open Collective
      • He now controls this fully, he was successfully able to remove Scrumplex
  • basically controlled due to GitHub releases
    • winget
    • choco
    • Debian / Ubuntu
    • flatpack (later prevented updates)
      • steam deck
    • scoop
• Releases potentially compromised
  • He may have embed malicious code in previous versions
    • He said he had been planning this out
    • thankfully doesn't look like he did
  • Metadata server
    • could be used to compromise users
      • (need clarification on how)
    • (need clarification on what exactly the server does)
  • MacOS has auto-updates
    • if a new release is published, mac users could be compromised

Are you sure its actually Lenny?

Yes, mostly. The ex-maintainers are as sure as they can be, and so am I. Lenny has posted a number of things to prove that he is who he claims to be. He publicly stated that he has mfa, though this could be a lie. Additionally he posted a pastebin which supposedly contains a signed pgp message by Lenny. Though there is some contention as to whether that is Lenny's pgp key, the consensus seems to be that it is. In any event, to quote Scrumplex, "I can't know for sure [if he was hacked]. But either way it isn't very intelligent either doing this, or having such bad OpSec as a 'lead' maintainer of a large project."

thanks for taking the time to make an overview! imo, it's a bit odd that both Lenny's Discord AND GitHub both got compromised... maybe he used the same password for both?
also, the commit on polymc was posted at around 20:00 Lenny's local time (tz guessed from his other commits).

Sorry, forgot the clarify that lenny was not compromised, he just did this out of the blue. (Will be updating this soontm.)