In a blog post on Wednesday, Panic Inc. developer and co-founder Steven Frank disclosed that he downloaded a malware infected version of HandBrake earlier this month, which led to the theft of the source code for several of the company’s popular apps.
In early May, a mirror download server hosting the popular video coding app Handbrake was hacked, and an infected version of the Handbrake app took the place of the genuine article. The hacked version infected user’s machines with OSX.PROTON, which gave hackers root-access privileges to a Mac.
Hacker’s were able to access Frank’s Mac via the infected app, and collected his login credentials, including his git credentials. Frank assures Panic customers that the hacker’s did not access customer data or sync data.
In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned.
Long story short, somebody, somewhere, now has quite a bit of source code to several of our apps.
Before I continue, three important points:
- There’s no indication any customer information was obtained by the attacker.
- Furthermore, there’s no indication Panic Sync data was accessed.
- Finally, our web server was not compromised.
(As a reminder, we never store credit card numbers since we process them with Stripe, and all Panic Sync data is encrypted in such a way that even we can’t see it. Read more.)
Panic offers several popular apps, including web editor Coda, FTP app Transmit, SSH client Prompt, and more. The attackers have demanded a large ransom, to be paid via Bitcoin. Panic does not intend to pay the ransom.
Panics warns customers to only download Panic’s apps from the Panic website or the Mac App Store, as the stolen source code could potentially be used to create malware-laden versions of the software packages.
Panic has been in contact with both Apple and the FBI, and Apple’s team is on the lookout for any stolen or malware-infested versions of the Panic apps. The FBI is investigating the matter.
Frank asks that customers notify the company if they see any unofficial Panic apps available in the wild. Such apps are likely to be infected with malware in an attempt to spread their evil payload.
We’ll be working overtime for the foreseeable future to keep an eye on this situation.
But we could also use your help.
If you see any cracked or otherwise unofficial versions of our apps in the wild, it’s safest to assume they are infected, and we ask that you please let us know. If you see our source show up somewhere, also let us know. And if you have information that could help with the investigation into this incident, definitely let us know.