Sublime Forum

Possible phishing attempt through adding a Package Control repository

#1

I recently received an email from someone apparently impersonating Sublime HQ attempting to convince me to add a new Package Control repository. This looks a lot like a phishing attempt so I’m posting this message here to alert Sublime HQ, Package Control maintainers and other users about it.

Follows below the phising email message:

Hello [Name]!

We’re pleased to announce that Sublime Text will soon be launching our own official plugins through Package Control! As a licensed Sublime Text user, we’d like to offer you the chance to be one of the first users with access to a preview release. Your API key will expire if it is not used by Friday, 11 August 2017. Please do not share your API key.

The simplest method to prepare Sublime Text for our plugins is by adding the preview repository to Package Control. To do this:

  1. Launch Sublime Text
  2. Press ctrl+shift+p
  3. Click “Package Control: Add Repository”
  4. Enter the following URL for your exclusive preview repository:
    [Link removed; it pointed to package-control.io]

You can expect to see Sublime Text notify you about new plugins from next week! We look forward to your feedback and thank you for your support.

Regards,
Sublime HQ Pty Ltd

6 Likes

pinned globally #2
0 Likes

#3

Well, you know Sublime is big when people start trying to exploit it.

1 Like

#4

Edit: I received a URL, thanks!

Can someone message me the URL please?

0 Likes

#5

They appear to be tracking users via the api_key. You get a 403 without a valid api_key. A valid api_key is the SHA1 hash of your email address.

Currently the repository is empty.

They have DNS hosting through Yandex. The server is hosted at DigitalOcean in NY.

3 Likes

#6

The owner of the domain has changed the DNS to point to 127.0.0.1.

Package Control v3.3.0-beta3 is in testing, and will blacklist package-control.io (the real site is https://packagecontrol.io) to prevent the owner from resurrecting the malicious domain and targeting PC users in the future.

5 Likes

unpinned #7
0 Likes

#8

Can someone nuke all the shit fucking bastards who are about to destroy the internet and all the good software out there?

2 Likes

#9

I received an email last night telling me this whole situation was a security exercise on their part, and not a real attack.

Needless to say, I am rather annoyed at them wasting our time and creating such an incident on purpose.

0 Likes

#10

Them being who?

0 Likes

#11

I’ve been asked not to comment on the details, but I can confidently say there was no actual payload – the repository was an empty JSON object.

If you wish to contact me directly via will@wbond.net, I can provide users with information to confirm what I am saying.

0 Likes