Can Obsidian Plugins have Malware?

Things I have tried

What I’m trying to do

I had a strange thing happen just now as I was working in obsidian on mac. my computer camera flash went off. I have bitdefender installed, but then it suddenly stopped working (wouldn’t do a scan) and I had to reinstall it. I’m doing a system scan for malware as I write this. I opened obsidian and told bitdefender to trust the application, but then I got this error message. Not sure if it’s obisidan or something else, some other app, web browser, or just a crazy fluke-but it worries me that my flash went off and the only thing I’ve installed lately is obsidian plugins. are plugins verified by obsidian? any thoughts on this? hope it’s nothing.


This would be the first report of such an issue that I’ve seen. But yes, it is technically possible for a malicious developer to put bad code in a plugin. Plugins are reviewed initially, but not constantly. This is why that “Turn off Safe Mode?” prompt when you first enable community plugins is so important.

To read more about plugin security, the following thread is a pretty good overview. (Note that this forum offers a summarizing feature, just under the first post in a busy thread.)

Security of the plugins

As for your situation, please report back. Most likely this is just a bug (at least, it doesn’t look like a malware warning to me—just a JavaScript error). And let us know what plugins you are using.

PS: have you installed any plugins manually, or just from the Community Plugins gallery?

thanks for your answer… I only install via the gallery… the most recent one was the buttons plugin, but I had just updated about 8 other ones the same day as I hadn’t done an update in some time. I might try to be safe and do a clean install of my mac in case it’s another program or some malware somewhere. I did have my Firefox browser open as I was making notes, so could be from a malicious site? who knows. ugh.

1 Like

I have 70 plugins installed, I do malware scans quite regularly and have not excluded my Obsidian Vault.
I also have the buttons plugin like you have. I do not have a mac, nor a webcam though.
Nothing has popped up yet, haven’t had any problems, attacks or anything yet.
I just wanted to share this so you don’t get paranoid :slight_smile:
If a dev would make a malicious plugin it would most likely be targetted to windows pc’s since there are more users than mac.

1 Like

thanks for the info. I wound up doing a clean install of my mac just in case there was some malware in my system or some browser plugin perhaps.

cheers,

R

1 Like

Good luck and hopefully you stay safe :slight_smile:

1 Like

Some more unsolicited advice:

  • Put a good password on your computer account.
  • Turn off any internet sharing (or if you need it, make sure it’s properly secured.)
  • Make sure your router firmware is updated, and consider changing the password on that too, or locking out external access with an allow list. Yes routers can be infected too.

(my totally uneducated guess is that your blocker app was causing permissions errors which caused that particular javascript error. But that doesn’t mean you aren’t infected with something.)

2 Likes