For a moment it was thought that the inkscape files were compromised
A few days ago the news broke that developers of the NixOS distribution realized of traces of malicious activity on the host used to download free vector graphics editor, Inkscape, “media.inkscape.org”.
About the news they mention that during a small analysis on the inkscape download host, detected inside the directory "/dl/resources/file/", from where the download of the official versions of Inkscape is organized, orn index file with an online casino registration form that sends data to a WhatsApp number.
In question the file "index.html" I think to the NixOS developers, that the host where the inkscape files are provided had been compromised and especially that potentially, during the attack, the files provided for download from inkscape might have been compromised.
Visiting the URL shows some kind of html page containing spam not related to Inkscape (excerpt below):
DAFTAR 1 AKUN UNTUK SEMUA JENIS GAME SLOT ONLINE
Given this, NixOS developers, contacted and informed Inkscape developers on the matter, to which initially they had not given any response on the case, which led users to think the worst.
Soon the Inkscape project representatives came out to clarify the situation and to calm the community, since they reported that the index.html file "problematic" is a file that had been "sneaking in" since it is from a past incident.
Sorry about the index.html file, which was placed on our server a long time ago, and even though the resource database entry was deleted a long time ago, the file remained on the file system, and the fast cache continued to duplicate it.
I've deleted the html file, reset the quick cache (for both / and index.html), and run integrity checks on all files, the web server, and various intrusion possibilities, all of which are negative. This file was uploaded through the gallery uploads on the website, something anyone can do. An index file now gets in the way to prevent this from happening again.
If you want to verify the source tarball, I always recommend checking against the gpg signature loaded in the versionsapp here Inkscape 1.3 - Source: File: xz tarball | Inkscape and check it with the gitlab sha you've already made for extra paranoia points.
Sorry for the problem.
In his explanation it is reported that the file as such, a file that appeared on the project server a long time ago, since "any user" was allowed to upload content, a user was the one who took advantage of this flaw to place the index file on the Inkscape host.
When things changed, they explain that theory this file was removed from the resource database a long time ago, but due to an oversight it remained on the file system and continued to be reflected by Fastly's caching system. In addition to this, the developers reported that so that the community could be calm, a verification of all the files was carried out and they confirmed that the integrity of the data was not violated.
It is worth mentioning that a revision of the release management model was also announced, since the ability to upload arbitrary files to the download server via the gallery can be considered a vulnerability. Among other things, an outsider could upload their own tar.gz file with malicious changes to the media.inkscape.org server and submit it as a version.
To verify the integrity of the downloaded files, the developers recommend using download links from the official site, comparing the checksum with GitLab data, and verifying the digital signature created by the project's GPG key.
Finally if you are interested in knowing more about it, you can check the details in the following link