FossHub served MBR-overwriting installers

This was not really an Audacity incident or a Classic Shell incident. Those projects were the visible victims, but the compromised trust surface was FossHub, the shared download partner that users reached through normal project download flows.

On August 2, 2016, attackers used compromised FossHub-side access to replace Windows .exe downloads for Audacity and Classic Shell with a destructive lookalike installer. Audacity later said its download server served a hacked Audacity 2.1.2 Windows installer for about three hours, and that no Audacity infrastructure was compromised beyond one external FossHub developer account. FossHub's own update said attackers logged in through compromised users, escalated access, uploaded malware to the Classic Shell page, and later appeared to reach an FTP account, prompting FossHub to shut down the main site and reinstall services.

The payload was blunt: an MBR-overwriting trojan. Victims who ran the substituted installer could reboot into a damaged boot path and a message from the attacker instead of Windows. Softpedia's contemporaneous reporting attributed the operation to PeggleCrew and said the attacker claimed access to FossHub production machines, backup and mirror locations, FTP credentials for the caching service, and Google Apps-hosted email; the official FossHub update separately said attempts against DNSMadeEasy, CloudFlare, personal email, and CDN accounts had failed.

The affected projects mattered because they were popular, but they were not the root of the compromise. FossHub was the authority that accepted uploads and delivered binaries. Once that layer fell, the attacker could make legitimate project download pages serve hostile installers without changing either project's source tree. FossHub removed the Classic Shell malware after roughly 300 downloads, reacted faster on Audacity, and kept services offline while rotating passwords, rebuilding access controls, and reinstalling infrastructure. Audacity's follow-up also noted that OldFoss.com had been compromised and taken offline.

Motive

Disruption Prank

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

PeggleCrew

• Audacity - Compromised Download Partnerweb.archive.org
• Audacity - Compromised Download Partner archived updateweb.archive.org
• Hacker Compromises Fosshub to Distribute MBR-Hijacking Malwareweb.archive.org
• FossHub serves up MBR-compromising versions of Audacity and Classic Shellzdnet.com
• Classic Shell hackers: We infected FossHub so ransomware could nottheregister.com
• Classic Shell forum - The Classic Shell software got hackedcoddec.github.io
• Audacity Forum: Warning: FossHub Apparently Hackedforum.audacityteam.org
• Attention! FossHub downloads compromisedghacks.net
• ClassicShell and FossHub hacked, MBR-wiper installed instead of appbleepingcomputer.com
• FossHub hacked to distribute malwarethehackernews.com
• Malicious Classic Shell installer deliberately trashes Windows PCsarstechnica.com