Umami is compromised - upgrade immediately

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨Mubelotix@jlai.lu⁩ to ⁨selfhosted@lemmy.world⁩

https://jlai.lu/pictrs/image/7dad24a4-96b9-46a7-b349-95fc0e927418.jpeg

All umami instances have been infected with a persisting crypto miner. Umami was affected by the next.js CVE but quietly released a fix, so most of their users missed it

source

Comments

Sort:hotnew top

EncryptKeeper@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I don’t know about “all umami instances being infected” but they were certainly all vulnerable.

source
non_burglar@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Link? Did you discover this yourself? There is no actual info here.

source
- wildbus8979@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  github.com/umami-software/umami/issues/3852
  
  source
  - non_burglar@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Thank you!
    
    source
- Mubelotix@jlai.lu ⁨3⁩ ⁨weeks⁩ ago
  All recently open issues are about this. I was a victim, but I’m not the first and people on reddit have done better investigations than I have. Look for the name of the process at the top
  
  source
  - non_burglar@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Thanks.
    
    For severe incidents like this, please post the most appropriate link, in this case github.com/umami-software/umami/issues/3852
    
    Admins in self hosted usually don’t have that much experience with real, active compromise and may panic, let’s help them as much as possible.
    
    What was the vector? Did you have umami exposed publicly?
    
    source
clb92@feddit.dk ⁨3⁩ ⁨weeks⁩ ago

All umami instances have been infected with a persisting crypto miner.

Source for that claim? Because it sounds like you’ve misunderstood something.

source
Bombastic@sopuli.xyz ⁨3⁩ ⁨weeks⁩ ago

Look inside

React2Shell

source
rayboy@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Wow I’m glad I happened to see this here. Thank you for the post. I was just thinking about putting all my services behind a VPN too, I think I’m going to go ahead and put that at the top of the list…

source
- GottaHaveFaith@fedia.io ⁨3⁩ ⁨weeks⁩ ago
  I don't think a vpn would help here
  
  source
  - GraveyardOrbit@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
    [deleted]
    source
    -> View More Comments
rehydrate5503@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
This could explain why my 4C/8T VPS started hitting 100% CPU usage shortly after boot with like next to nothing else running on it.

source
- rehydrate5503@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Yup, umami was the culprit in my case. Quick update and it’s all running smooth again.
  
  source
corsicanguppy@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
I see it’s running Ansible. That’s an obvious risk.

source